- From: Eliot Lear <lear@cisco.com>
- Date: Fri, 15 Aug 2014 14:27:53 +0200
- To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <53EDFCC9.1080606@cisco.com>
Hi Mark, Just on these two points, taken together: On 8/15/14, 4:58 AM, Mark Nottingham wrote: > One proposal we considered was to require the use of TLS (through https:// URIs) for HTTP/2. However, some members of the community pushed back against this, on the grounds that it would be too onerous for some uses of HTTP (not necessarily CPU; cost and administration of certificates was cited as a burden, as was the follow-on disruption to applications, since transitioning from HTTP to HTTPS often requires non-trivial content changes, due to the way that the browser security model works). > > We also discussed an "Opportunistic Security" approach to using TLS for http:// URIs (but without authentication). This was a bit controversial too, as some community members felt that having another, weaker kind of security defined harms the long-term deployment of "full" TLS. Some of us have been a little nervous about the spread of infections due to encryption with unauthenticated endpoints, making it a bit more of a pain for in-path virus checkers and such. That was raised several times. You saw data published to this list from Cisco saying that this wasn't really a problem when the server had a valid cert. Eliot
Received on Friday, 15 August 2014 12:28:29 UTC