RE: Call for Proposals re: #314 HTTP2 and http:// URIs on the "open" internet from Yoav Nir on 2013-11-20 (ietf-http-wg@w3.org from October to December 2013)

From: Yoav Nir <synp71@live.com>
Date: Wed, 20 Nov 2013 08:15:09 +0000
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <DUB124-W37E06C0E7E14129E51683CB1E60@phx.gbl>

And it seems that I'm in agreement with Roberto, which is... jarring.
Anyway, since this came up several times on the related threads, I think we should have a new issue about HTTP/2 in cleartext: Upgrade dance vs new dedicated port.
There are good arguments for each of these, but I think that defining both adds unnecessary complexity.
Yoav

> From: mnot@mnot.net
> Date: Wed, 20 Nov 2013 15:02:26 +1100
> CC: jasnell@gmail.com; derhoermi@gmx.net; ietf-http-wg@w3.org
> To: grmocg@gmail.com
> Subject: Re: Call for Proposals re: #314 HTTP2 and http:// URIs on the "open" internet
> 
> So I'm interpreting this as a two-part proto-proposal --
> 
> a) don't constrain the URI scheme for HTTP/2
> b) develop opportunistic encryption of some sort (issue #315).
> 
> Is that accurate?
> 
> Cheers,
> 
> 
> 
> On 20/11/2013, at 2:57 PM, Roberto Peon <grmocg@gmail.com> wrote:
> 
> > How about:
> > HTTPS schemed URLs MUST be sent on an authenticated TLS channel.
> > HTTP schemed URLs MAY be sent as unencrypted HTTP2 plaintext, or may be sent over a TLS channel.
> > 
> > If a server does not wish to handle HTTP schemed URLs over a TLS channel, it MUST reject these requests with a RST_STREAM or GOAWAY with an error code that indicates that the server does not support HTTP schemed URLs on port 443.
> > -=R
> > 
> > 
> > 
> > On Tue, Nov 19, 2013 at 7:43 PM, James M Snell <jasnell@gmail.com> wrote:
> > On Tue, Nov 19, 2013 at 7:03 PM, Mark Nottingham <mnot@mnot.net> wrote:
> > >[snip]
> > > No one has yet proposed that we mandate implementing HTTP/2.0 *without* TLS yet -- we'll cross that bridge if we come to it. Talking about "subverting the standards process" is thus WAY too premature.
> > >
> > 
> > Honestly, I'm close to this, but *only* over a new dedicated port. To
> > be clear, as an application developer building on top of HTTP/2, I
> > want to be able, should I so choose, to rely on the ability to use
> > plain text http/2 and do not want a handful of user-agent developers
> > to make that decision for me. That said, however, I recognize the
> > challenges with making plaintext HTTP/2 over port 80 a mandatory to
> > implement thing, therefore, mandatory to implement over a new
> > dedicated port would appear to be a reasonable compromise option.
> > 
> > - James
> > 
> > 
> 
> --
> Mark Nottingham   http://www.mnot.net/

> 
> 
> 
>

Received on Wednesday, 20 November 2013 08:15:37 UTC