W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Call for Proposals re: #314 HTTP2 and http:// URIs on the "open" internet

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Wed, 20 Nov 2013 06:27:52 +0100
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <duao89prge1dtihrh01bcor4dn3ibjijsk@hive.bjoern.hoehrmann.de>
* Mark Nottingham wrote:
>No one has yet proposed that we mandate implementing HTTP/2.0 *without*
>TLS yet -- we'll cross that bridge if we come to it. Talking about
>"subverting the standards process" is thus WAY too premature.

To make this short, permit me to try an analogy. What if Chairs said:

  To reiterate -- some browser folks have stated that they will not be 
  implementing XYZ for WebRTC in their products, so unless they become
  convinced otherwise, there will still be a *market* requirement to
  implement ABC if you want to get the benefit of WebRTC with the
  broadest selection of clients.

Who will argue to make XYZ mandatory-to-implement for WebRTC browsers?

If somebody does, and they convince all but those browser folks that XYZ
should be mandatory-to-implement, but 80% of deployed web browsers end
up not implementing XYZ, then there is no Standards process, just the
browser folks doing whatever they want.

If nobody does because it's obviously pointless to argue, then there is
no Standards process either.

And if the browser folks are not convinced, but submit to the Standards
process, then there would be no "market requirement" for anything else.

Over in the Real-Time Communication in WEB-browsers Working Group the
"browser folks" have, as far as I have been able to follow, comitted to
the Standards process. I expect no less of them, or others, here.

>Please read that as deferring a decision. I'm happy for people to make
>proposals and discuss them. What I'm not willing to do is let a general
>discussion without focus continue for too long and threaten the rest of
>our work. It's quite apparent to me that people are digging in on their
>positions and we can't reach consensus that way.

I appreciate that. I am very interested in the threat model, knowing
what we should protect. I am extremely concerned that users might be-
come unable to audit what their "user agents" send and receive over the
wire if we mandate encryption of HTTP traffic without safeguards. My
suggestion is to work on problem statements before we decide on
solutions.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Wednesday, 20 November 2013 05:28:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC