- From: Eliot Lear <lear@cisco.com>
- Date: Tue, 27 Aug 2013 08:14:06 +0200
- To: willchan@google.com
- CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Hi Will, On 8/26/13 4:33 PM, William Chan (ιζΊζ) wrote: > Great, I think we've made progress here on narrowing in on the meat of > the discussion. I've got nothing new here other than what others have > already said, but I'll re-emphasize a particularly point. We're > primarily talking about http:// URIs here. Given that constraint, it's > unclear if we want to require server authentication. I think most > people are starting with just encryption. So while the authentication > discussion is interesting, I'd ignore authentication for now. I know I'm not winning an congeniality awards here for disagreeing so much, but I wouldn't entirely ignore authentication. As you browser folk know, you may have retained a lot of information about the server. Some of that information might involve the identity of the server, which is really what is at issue here. Making use of that would be good, but I don't know if it can be done properly on port 80 in a standard, unless of course you happen to have a published DNS record with capabilities. It opens up a whole can of worms about whether example.com:80 and example.com:someotherportrunningSSL are equivalent. It's also not the most elegant idea I've ever had, I must say. Eliot
Received on Tuesday, 27 August 2013 06:14:42 UTC