- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 13 Nov 2013 13:42:44 +0100
- To: Mark Nottingham <mnot@mnot.net>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2013-11-13 13:07, Mark Nottingham wrote: > > On 13 Nov 2013, at 7:47 pm, Julian Reschke <julian.reschke@gmx.de> wrote: > >> I'm still confused. What you say implies that http: URIs will not use HTTP/2. We did *not* discuss this as option 4. > > Julian, > > Requiring the use of a secure underlying protocol naturally excludes opportunistic approaches, which puts http:// URIs off the table. People who want to use HTTP/2 for http:// URIs will need to redirect them to https:// (and possibly use HSTS, depending upon their use case). That's not what our spec says right now. I'm also not sure how use of a secure underlying protocol automatically excludes opportunistic approaches, unless you are *specifically* referring to what we currently specify for the upgrade from HTTP/1.1 to 2.0 on "http:". To be clear: my main concern here is not the actual bits on the wire, but ruling out use of HTTP/2.0 for "http:" URIs. > If you’d like to make a different proposal, you’re certainly free to. In my estimation, after discussion in the room, on the list, with implementers, various ADs and others, this is the best chance we have of moving forward and actually getting better security for HTTP started. If a different consensus emerges, I’m happy to follow it, but I’m not willing to let this issue turn into a rathole that knocks us off of schedule (a position that has regularly been verified with the WG). As far as I can tell, what you are proposing is not what has been discussed during the actual working group meeting. We had several hums, and as far as I can tell, we had not even rough consensus for any of these options. The weakest "[ weakest for can't live with ]" outcome is recorded for option 3, not 4. Apparently, this needs more discussion. Best regards, Julian
Received on Wednesday, 13 November 2013 12:43:27 UTC