Discussion of Mandatory TLS in HTTP/2.0

[ with my Chair hat on ]

Our discussion over the last few days about requiring HTTP/2.0 to always use TLS has been interesting, but has started to generate more heat than light.

First of all, I'm going to ask everyone to refrain from making the same arguments more than once -- repetition does NOT strengthen them -- and to avoid responding to every comment made*. So far, the conversation has been dominated by a relatively small number of people and a lot of advocacy and supposition. I'd like to hear more from others.

Secondly, NONE of the proposals on the table explicitly mandate use of TLS, and therefore, any such requirement would have to be introduced as a change proposal after we choose one as a starting point (assuming we can choose one)**. 

Thirdly, my reading of the current discussion -- which is very preliminary, since we haven't even chosen a starting point -- is that there isn't yet consensus to make TLS mandatory to use for HTTP/2.0. That's not "official", just a sense of where we're at now. Clearly, whatever decision we come to, the consensus is going to be rough.

Finally, I'd encourage everyone to carefully read BCP61 <http://tools.ietf.org/html/bcp61> (hat tip to the Security ADs), as it embodies IETF policy in this area, and will doubtless guide our decisions here.

Discussing the fine details of this issue now isn't very helpful; we need to get a starting point selected first. New information about security requirements (or lack thereof) from implementers and deployers is welcome; constant back-and-forth is not.


* If you don't take this hint, I'll be asking you to demur, first privately, then publicly, as per BCP94.

** The SPDY proposal does imply its use, and if we choose it but don't make TLS mandatory, we may have to make a number of other adjustments to compensate (especially around upgrade).

Mark Nottingham   http://www.mnot.net/

Received on Thursday, 19 July 2012 03:55:30 UTC