Hi Will, I'm a pretty simple guy and what will follow is simple logic. But maybe it's wrong (indicating I'm simpler still). See below, please. On 12/17/13 6:36 PM, William Chan (陈智昌) wrote: > Did you mean CAs that offered free certs? Brian listed this earlier already. That list was problematic. It does not provide for general availability of certificates, but for open source projects, and other limited groups, an "inferior product" as Brian called it. > And I know there are DANE fans here...I don't really want to talk > about it here since it'll distract from the conversation. Please ask > at https://code.google.com/p/chromium/issues/detail?id=50874. But in > short, I believe we have no plans to implement. Bringing this back around to draft-nottingham-http2-encryption, the document poses a problematic issue around what is mandatory to implement. Some browser developers have made it clear that they're not going to do unencrypted http2. If reality is that HTTP2 will only be implemented by browsers via TLS, then there are exactly to paths one can follow: 1. Everyone can and will use TLS in all circumstances; or 2. Not everyone can and will use TLS in all circumstances, and hence HTTP2 is not a replacement for HTTP. Let us assume that (1) is the intended target. In that case, we have the following options: 1. Demonstrate that free certificates are generally available, 2. Use unauthenticated or opportunistic encryption, 3. See that DANE is delivered, or 4. develop another option. Personally I don't believe (A) and you and I have thus far rejected (B)[*]. That leaves (C), which I personally like and you have no plan to implement, or (D). If you would like to avoid the distraction, kindly correct my understanding? Maybe you don't grant assumption of (1). I don't think others do, but the charter sort of pushes that point. Anyway, this is the reason we keep circling back to DANE, as I see it. Eliot [*] I might be convinced that some form of encryption is yet a good idea.
Received on Tuesday, 17 December 2013 19:22:40 UTC