Re: Moving forward on improving HTTP's security

On 2013-11-13 13:07, Mark Nottingham wrote:
> On 13 Nov 2013, at 7:47 pm, Julian Reschke <> wrote:
>> I'm still confused. What you say implies that http: URIs will not use HTTP/2. We did *not* discuss this as option 4.
> Julian,
> Requiring the use of a secure underlying protocol naturally excludes opportunistic approaches, which puts http:// URIs off the table. People who want to use HTTP/2 for http:// URIs will need to redirect them to https:// (and possibly use HSTS, depending upon their use case).

That's not what our spec says right now.

I'm also not sure how use of a secure underlying protocol automatically 
excludes opportunistic approaches, unless you are *specifically* 
referring to what we currently specify for the upgrade from HTTP/1.1 to 
2.0 on "http:".

To be clear: my main concern here is not the actual bits on the wire, 
but ruling out use of HTTP/2.0 for "http:" URIs.

> If youd like to make a different proposal, youre certainly free to. In my estimation, after discussion in the room, on the list, with implementers, various ADs and others, this is the best chance we have of moving forward and actually getting better security for HTTP started. If a different consensus emerges, Im happy to follow it, but Im not willing to let this issue turn into a rathole that knocks us off of schedule (a position that has regularly been verified with the WG).

As far as I can tell, what you are proposing is not what has been 
discussed during the actual working group meeting. We had several hums, 
and as far as I can tell, we had not even rough consensus for any of 
these options. The weakest "[ weakest for can't live with ]" outcome is 
recorded for option 3, not 4.

Apparently, this needs more discussion.

Best regards, Julian

Received on Wednesday, 13 November 2013 12:43:27 UTC