Great, I think we've made progress here on narrowing in on the meat of the
> discussion. I've got nothing new here other than what others have already
> said, but I'll re-emphasize a particularly point. We're primarily talking
> about http:// URIs here. Given that constraint, it's unclear if we want
> to require server authentication. I think most people are starting with
> just encryption. So while the authentication discussion is interesting, I'd
> ignore authentication for now.
>
>
let's not ignore authentication. The PKI situation can be improved and
there is no reason that http:// can't carry at least the levels of
guarantees that https:// provides, modulo fear of down grade attack back to
the lameness that is http/1. (so we're talking about transport level
enhancements - not web level security changes re mixed content, etc..)
that being said - I'm with the family on vacation this week. So please
don't take my silence for lack of interest.