Re: SPDY = HTTP/2.0 or not ?

On Mon, Mar 26, 2012 at 11:49 AM, Poul-Henning Kamp <phk@phk.freebsd.dk>wrote:

> In message <
> CAAbTgTto2rgiDVzyjJLfit1_kKLR45ZgfY2+PTBQ+V_sP4L3Qg@mail.gmail.com>
> , Brian Pane writes:
>
> >If we
> >convince ourselves that securing the transport is too onerous for
> >the thousands, or too inefficient for the millions, we'll be missing
> >a chance to better harden the web on behalf of the billions.
>
> ...but on the other hand, we might see the fruits of our labors actually
> used by people, if we try to deliver tools, rather than policies.
>

Your theory is provably false today:

Google, Twitter, Amazon and others have *already* deployed SPDY, even in
its current, early adopter form.  These deployments are clear evidence that
there is demand.   At the same time, all of these vendors would like to see
the features of SPDY made available in a standardized form through IETF.


>
> The choice of crypto or no crypto is for the HTTP-service provider to
> decide, it is not for us to decide on their behalf.
>

Nobody ever said we'd take away an unsecure path.  I just don't want it to
be the default.  Make security opt-out rather than opt-in.

How much global legislation about liability for accidentally leaked
information do you need before you'll believe that we have a responsibility
here?



> We can offer the tools, we can encourage the use of them, but we have
> neither moral nor political authority to mandate use of cryptograhpy
> by people who do not want it.
>

Keep in mind the SPDY draft does not require SSL.

Mike



>
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>
>