- From: Brian Pane <brianp@brianp.net>
- Date: Sun, 25 Mar 2012 17:50:39 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>
On Sun, Mar 25, 2012 at 3:59 AM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > 2. SPDY's requirement for SSL is never going to fly with > p0rn^Wmultimedia sites, national emergency services, > and other high volume/high spike sites. It looks like the current SPDY proposal only requires TCP, not SSL: http://tools.ietf.org/html/draft-mbelshe-httpbis-spdy-00#section-2 Nonetheless, I think it would be reasonable for HTTP/2.0 to require SSL. When HTTP/0.9 was first deployed, the typical client environment was an academic LAN where the users trusted each other. Today, the typical client environment is a coffee shop with an open wireless network. If HTTP/2.0 has an operational life as long as HTTP/1.x has had, decisions made this year will determine the default security of the web in 2028. If the HTTP/2.0 standard mandates TLS, it will create pressure for implementors in the short term. But that's good, because implementors will see it as an opportunity. Hardware developers will step up their efforts to accelerate common ciphersuites. Software developers will step up their efforts to make session resumption scale. And the per-byte and per-session cost will drop. And all those people in the coffee shop will be better protected. -Brian
Received on Monday, 26 March 2012 00:51:08 UTC