Re: Moving forward on improving HTTP's security from Mark Nottingham on 2013-11-13 (ietf-http-wg@w3.org from October to December 2013)

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 13 Nov 2013 21:14:03 +0800
To: "Julian F. Reschke" <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <E3D4B6A5-AF6E-48ED-99A2-4201C8110239@mnot.net>

On 13 Nov 2013, at 8:42 pm, Julian Reschke <julian.reschke@gmx.de> wrote:

> To be clear: my main concern here is not the actual bits on the wire, but ruling out use of HTTP/2.0 for "http:" URIs.

And the *precise* language around that is still TBD. I’m somewhat of a mind to not specify it at all, in that the implementations will naturally do this anyway, but since the strongest indications we have is that people want us to do *something*, those requirements may fulfil that role.

> As far as I can tell, what you are proposing is not what has been discussed during the actual working group meeting.

Your understanding of what happened seems like it’s different than the other people who I’ve spoken to. Regardless of that, however, we don’t need to discuss every option at physical meetings; we need to discuss them on the list. That’s what’s happening now.

> We had several hums, and as far as I can tell, we had not even rough consensus for any of these options. The weakest "[ weakest for can't live with ]" outcome is recorded for option 3, not 4.

Hums are not a means of judging consensus; they’re a means for the chair to gather information about the people in the room — nothing more. As a reminder, we make decisions in the IETF based upon technical merit, not voting.

I am very aware that we didn’t have ample time to discuss this issue in our Vancouver meeting. I doubt that having had two extra days (never mind hours) would have helped, and we wouldn’t have learned significantly more information even if we had them, since the positions were so divided. 

As a result, I’m making an informed judgement call, based upon discussions so far and the options available to us. I do not do so lightly, and have been in active consultation with many of those it will affect, as well as IETF leadership. If that call is wrong, I’m confident that the WG will correct it, but again, that is *not* voting.

> Apparently, this needs more discussion.

Of course. I’ve announced what I believe our current state is; if there is serious pushback that has technical merit, we’ll have to revisit it. And as I’ve said many times, I’m open to proposals — especially those that can a) gain consensus b) actually get implemented and c) get approved by the whole IETF community. Haven’t seen any others yet.

Regards,

--
Mark Nottingham   http://www.mnot.net/

Received on Wednesday, 13 November 2013 13:15:35 UTC