Re: Moving forward on improving HTTP's security

On 13 Nov 2013, at 8:42 pm, Julian Reschke <> wrote:

> To be clear: my main concern here is not the actual bits on the wire, but ruling out use of HTTP/2.0 for "http:" URIs.

And the *precise* language around that is still TBD. Iím somewhat of a mind to not specify it at all, in that the implementations will naturally do this anyway, but since the strongest indications we have is that people want us to do *something*, those requirements may fulfil that role.

> As far as I can tell, what you are proposing is not what has been discussed during the actual working group meeting.

Your understanding of what happened seems like itís different than the other people who Iíve spoken to. Regardless of that, however, we donít need to discuss every option at physical meetings; we need to discuss them on the list. Thatís whatís happening now.

> We had several hums, and as far as I can tell, we had not even rough consensus for any of these options. The weakest "[ weakest for can't live with ]" outcome is recorded for option 3, not 4.

Hums are not a means of judging consensus; theyíre a means for the chair to gather information about the people in the room ó nothing more. As a reminder, we make decisions in the IETF based upon technical merit, not voting.

I am very aware that we didnít have ample time to discuss this issue in our Vancouver meeting. I doubt that having had two extra days (never mind hours) would have helped, and we wouldnít have learned significantly more information even if we had them, since the positions were so divided. 

As a result, Iím making an informed judgement call, based upon discussions so far and the options available to us. I do not do so lightly, and have been in active consultation with many of those it will affect, as well as IETF leadership. If that call is wrong, Iím confident that the WG will correct it, but again, that is *not* voting.

> Apparently, this needs more discussion.

Of course. Iíve announced what I believe our current state is; if there is serious pushback that has technical merit, weíll have to revisit it. And as Iíve said many times, Iím open to proposals ó especially those that can a) gain consensus b) actually get implemented and c) get approved by the whole IETF community. Havenít seen any others yet.


Mark Nottingham

Received on Wednesday, 13 November 2013 13:15:35 UTC