W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Fwd: New Version Notification for draft-nottingham-http2-encryption-02.txt

From: Eliot Lear <lear@cisco.com>
Date: Tue, 17 Dec 2013 20:22:06 +0100
Message-ID: <52B0A45E.2010901@cisco.com>
To: "William Chan (陈智昌)" <willchan@chromium.org>
CC: Adrien de Croy <adrien@qbik.com>, Brian Smith <brian@briansmith.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Paul Hoffman <paul.hoffman@gmail.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Hi Will,

I'm a pretty simple guy and what will follow is simple logic.  But maybe
it's wrong (indicating I'm simpler still).  See below, please.

On 12/17/13 6:36 PM, William Chan (陈智昌) wrote:
> Did you mean CAs that offered free certs? Brian listed this earlier already.

That list was problematic.  It does not provide for general availability
of certificates, but for open source projects, and other limited groups,
an "inferior product" as Brian called it.

> And I know there are DANE fans here...I don't really want to talk
> about it here since it'll distract from the conversation. Please ask
> at https://code.google.com/p/chromium/issues/detail?id=50874. But in
> short, I believe we have no plans to implement.

Bringing this back around to draft-nottingham-http2-encryption, the
document poses a problematic issue around what is mandatory to
implement.  Some browser developers have made it clear that they're not
going to do unencrypted http2.  If reality is that HTTP2 will only be
implemented by browsers via TLS, then there are exactly to paths one can
follow:

1.  Everyone can and will use TLS in all circumstances; or
2.  Not everyone can and will use TLS in all circumstances, and hence
HTTP2 is not a replacement for HTTP.

Let us assume that (1) is the intended target.  In that case, we have
the following options:

 1. Demonstrate that free certificates are generally available,
 2. Use unauthenticated or opportunistic encryption,
 3. See that DANE is delivered, or
 4. develop another option.

Personally I don't believe (A) and you and I have thus far rejected
(B)[*].  That leaves (C), which I personally like and you have no plan
to implement, or (D).  If you would like to avoid the distraction,
kindly correct my understanding?  Maybe you don't grant assumption of
(1).  I don't think others do, but the charter sort of pushes that
point.  Anyway, this is the reason we keep circling back to DANE, as I
see it.

Eliot

[*] I might be convinced that some form of encryption is yet a good idea.
Received on Tuesday, 17 December 2013 19:22:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC