- From: Greg Wilkins <gregw@intalio.com>
- Date: Fri, 20 Jul 2012 17:38:49 +1000
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 19 July 2012 13:55, Mark Nottingham <mnot@mnot.net> wrote: > Finally, I'd encourage everyone to carefully read BCP61 <http://tools.ietf.org/html/bcp61> (hat tip to the Security ADs), as it embodies IETF policy in this area, and will doubtless guide our decisions here. A paragraph of note in BCP61 is: 7. MUST is for Implementors We often say that Security is a MUST implement. It is worth noting that there is a significant different between MUST implement and MUST use. I do think there are good arguments to make to say that browsers MUST use confidentiality mechanism - I just don't think that we really want to get bogged down in debating those arguments here. We should endeavour to make HTTP/2.0 work well for both encrypted and clear text connections (and there is work to do to achieve that). Also I would assume that the inverse of 7 also applies. Just because we implement clear text connection does not mean that users MUST use them. Specifically the browser/server/service vendors should be able to choose not to use clear text connections (or at least make their usage difficult and non default). This would achieve a more confidential web, but would not require that all HTTP traffic be encrypted. The analogy that I see is that cell phone traffic used to be transmitted in the clear. It is now encrypted by default, but only when broadcast and there is no mandate that we keep the audio confidential when we send it over the wires to our headset or when it is bridged onto a PSTN. regards -- Greg Wilkins <gregw@intalio.com> http://www.webtide.com Developer advice and support from the Jetty & CometD experts.
Received on Friday, 20 July 2012 07:39:17 UTC