W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Call for Proposals re: #314 HTTP2 and http:// URIs on the "open" internet

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 20 Nov 2013 15:00:18 +1100
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <87E9681E-64AF-44B9-B25E-7CD37A08F25B@mnot.net>
To: James M Snell <jasnell@gmail.com>
On 20/11/2013, at 2:43 PM, James M Snell <jasnell@gmail.com> wrote:

> On Tue, Nov 19, 2013 at 7:03 PM, Mark Nottingham <mnot@mnot.net> wrote:
>> [snip]
>> No one has yet proposed that we mandate implementing HTTP/2.0 *without* TLS yet -- we'll cross that bridge if we come to it. Talking about "subverting the standards process" is thus WAY too premature.
>> 
> 
> Honestly, I'm close to this, but *only* over a new dedicated port. To
> be clear, as an application developer building on top of HTTP/2, I
> want to be able, should I so choose, to rely on the ability to use
> plain text http/2 and do not want a handful of user-agent developers
> to make that decision for me. That said, however, I recognize the
> challenges with making plaintext HTTP/2 over port 80 a mandatory to
> implement thing, therefore, mandatory to implement over a new
> dedicated port would appear to be a reasonable compromise option.

I think that, if proposed, it would be even more difficult to get consensus on this than on prohibiting HTTP/2 for http:// URIs. Not only are some implementers against it, but on its own, this would be a step backwards in security -- right now, HTTP/1.1 doesn't require implementation without encryption. 

Much experience has shown us that MUSTs and SHOULDs are ignored when they're disconnected from implementation needs -- even if those requirements are intended for the greater good.

Cheers,

--
Mark Nottingham   http://www.mnot.net/
Received on Wednesday, 20 November 2013 04:00:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC