Re: Moving forward on improving HTTP's security

On 2013-11-13 14:14, Mark Nottingham wrote:
> On 13 Nov 2013, at 8:42 pm, Julian Reschke <> wrote:
>> To be clear: my main concern here is not the actual bits on the wire, but ruling out use of HTTP/2.0 for "http:" URIs.
> And the *precise* language around that is still TBD. Iím somewhat of a mind to not specify it at all, in that the implementations will naturally do this anyway, but since the strongest indications we have is that people want us to do *something*, those requirements may fulfil that role.

How can implementations do "it" if we don't specify how?

>> As far as I can tell, what you are proposing is not what has been discussed during the actual working group meeting.
> Your understanding of what happened seems like itís different than the other people who Iíve spoken to. Regardless of that, however, we donít need to discuss every option at physical meetings; we need to discuss them on the list. Thatís whatís happening now.

Well, it's backed by the minutes, as far as I can tell.

And yes, the WG meeting is just advisory; what's relevant is what 
happens here on the mailing list. That's why I was confused by the 

"In subsequent discussion, there seems to be agreement that (C) is 
preferable to (B), since it is more straightforward; no new mechanism 
needs to be specified, and HSTS can be used for downgrade protection."

because I don't believe these discussions happened here on the mailing 
list (or, for that matter, on another IETF mailing list I'm subscribed to).

>> We had several hums, and as far as I can tell, we had not even rough consensus for any of these options. The weakest "[ weakest for can't live with ]" outcome is recorded for option 3, not 4.
> Hums are not a means of judging consensus; theyíre a means for the chair to gather information about the people in the room ó nothing more. As a reminder, we make decisions in the IETF based upon technical merit, not voting.


> I am very aware that we didnít have ample time to discuss this issue in our Vancouver meeting. I doubt that having had two extra days (never mind hours) would have helped, and we wouldnít have learned significantly more information even if we had them, since the positions were so divided.


> As a result, Iím making an informed judgement call, based upon discussions so far and the options available to us. I do not do so lightly, and have been in active consultation with many of those it will affect, as well as IETF leadership. If that call is wrong, Iím confident that the WG will correct it, but again, that is *not* voting.

Well, your mail makes it sound as if a decision already has been made, 
and that you're willing to revisit it if the WG pushes back. That's 
different from making a *proposal*, discuss it over here (and maybe 
*then* make a decision).

>> Apparently, this needs more discussion.
> Of course. Iíve announced what I believe our current state is; if there is serious pushback that has technical merit, weíll have to revisit it. And as Iíve said many times, Iím open to proposals ó especially those that can a) gain consensus b) actually get implemented and c) get approved by the whole IETF community. Havenít seen any others yet.

How do you judge the technical merit exactly?

Do you believe it's acceptable that the default naming scheme for the 
web ("http") is affected (in that either users keep getting redirected, 
or bookmarks/links will have to change)?

Best regards, Julian

Received on Wednesday, 13 November 2013 13:33:55 UTC