W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: HTTP/2 - Unintended consequences of pseudo-mandatory TLS

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 14 Mar 2016 10:06:51 +1100
Cc: Phil Lello <phil@dunlop-lello.uk>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <154DB767-392F-4C16-A582-DA6E09CD7E28@mnot.net>
To: Daniel Stenberg <daniel@haxx.se>
Thanks, Daniel. 

Phil, we had a pretty extensive discussion about this, and as a WG decided not to require TLS for HTTP/2. 

I'm sympathetic to the need for a forum for such discussions -- and it's pretty clear that they're far from over -- but this isn't relevant to our current work. 


> On 14 Mar 2016, at 9:56 AM, Daniel Stenberg <daniel@haxx.se> wrote:
> On Sun, 13 Mar 2016, Phil Lello wrote:
>> Whilst I'm not certain that this is the right forum to address browser support for h2c / non-TLS HTTP/2, I'd like to state my concerns over the de facto requirement for TLS.
> Most of the things that can be said about this subject were iterated about 14 times each in the "SSL/TLS everywhere fail" discussion in December:
> https://lists.w3.org/Archives/Public/ietf-http-wg/2015OctDec/thread.html#msg313
> -- 
> / daniel.haxx.se

Mark Nottingham   https://www.mnot.net/
Received on Sunday, 13 March 2016 23:07:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC