Re: Moving forward on improving HTTP's security

On 13 Nov 2013, at 7:47 pm, Julian Reschke <julian.reschke@gmx.de> wrote:

> I'm still confused. What you say implies that http: URIs will not use HTTP/2. We did *not* discuss this as option 4.

Julian, 

Requiring the use of a secure underlying protocol naturally excludes opportunistic approaches, which puts http:// URIs off the table. People who want to use HTTP/2 for http:// URIs will need to redirect them to https:// (and possibly use HSTS, depending upon their use case).

If you’d like to make a different proposal, you’re certainly free to. In my estimation, after discussion in the room, on the list, with implementers, various ADs and others, this is the best chance we have of moving forward and actually getting better security for HTTP started. If a different consensus emerges, I’m happy to follow it, but I’m not willing to let this issue turn into a rathole that knocks us off of schedule (a position that has regularly been verified with the WG).

Regards,

—
Mark Nottingham   http://www.mnot.net/

Received on Wednesday, 13 November 2013 12:07:44 UTC