W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 13 Nov 2013 20:07:17 +0800
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <8B3003BF-D814-4E3A-AAF5-F1A56DA5208D@mnot.net>
To: "Julian F. Reschke" <julian.reschke@gmx.de>

On 13 Nov 2013, at 7:47 pm, Julian Reschke <julian.reschke@gmx.de> wrote:

> I'm still confused. What you say implies that http: URIs will not use HTTP/2. We did *not* discuss this as option 4.


Requiring the use of a secure underlying protocol naturally excludes opportunistic approaches, which puts http:// URIs off the table. People who want to use HTTP/2 for http:// URIs will need to redirect them to https:// (and possibly use HSTS, depending upon their use case).

If youd like to make a different proposal, youre certainly free to. In my estimation, after discussion in the room, on the list, with implementers, various ADs and others, this is the best chance we have of moving forward and actually getting better security for HTTP started. If a different consensus emerges, Im happy to follow it, but Im not willing to let this issue turn into a rathole that knocks us off of schedule (a position that has regularly been verified with the WG).


Mark Nottingham   http://www.mnot.net/
Received on Wednesday, 13 November 2013 12:07:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:19 UTC