Re: Moving forward on improving HTTP's security

On 2013-11-13 14:14, Mark Nottingham wrote:
>
> On 13 Nov 2013, at 8:42 pm, Julian Reschke <julian.reschke@gmx.de> wrote:
>
>> To be clear: my main concern here is not the actual bits on the wire, but ruling out use of HTTP/2.0 for "http:" URIs.
>
> And the *precise* language around that is still TBD. I’m somewhat of a mind to not specify it at all, in that the implementations will naturally do this anyway, but since the strongest indications we have is that people want us to do *something*, those requirements may fulfil that role.

How can implementations do "it" if we don't specify how?

>> As far as I can tell, what you are proposing is not what has been discussed during the actual working group meeting.
>
> Your understanding of what happened seems like it’s different than the other people who I’ve spoken to. Regardless of that, however, we don’t need to discuss every option at physical meetings; we need to discuss them on the list. That’s what’s happening now.

Well, it's backed by the minutes, as far as I can tell.

And yes, the WG meeting is just advisory; what's relevant is what 
happens here on the mailing list. That's why I was confused by the 
statement:

"In subsequent discussion, there seems to be agreement that (C) is 
preferable to (B), since it is more straightforward; no new mechanism 
needs to be specified, and HSTS can be used for downgrade protection."

because I don't believe these discussions happened here on the mailing 
list (or, for that matter, on another IETF mailing list I'm subscribed to).

>> We had several hums, and as far as I can tell, we had not even rough consensus for any of these options. The weakest "[ weakest for can't live with ]" outcome is recorded for option 3, not 4.
>
> Hums are not a means of judging consensus; they’re a means for the chair to gather information about the people in the room — nothing more. As a reminder, we make decisions in the IETF based upon technical merit, not voting.

Yes.

> I am very aware that we didn’t have ample time to discuss this issue in our Vancouver meeting. I doubt that having had two extra days (never mind hours) would have helped, and we wouldn’t have learned significantly more information even if we had them, since the positions were so divided.

Indeed.

> As a result, I’m making an informed judgement call, based upon discussions so far and the options available to us. I do not do so lightly, and have been in active consultation with many of those it will affect, as well as IETF leadership. If that call is wrong, I’m confident that the WG will correct it, but again, that is *not* voting.

Well, your mail makes it sound as if a decision already has been made, 
and that you're willing to revisit it if the WG pushes back. That's 
different from making a *proposal*, discuss it over here (and maybe 
*then* make a decision).

>> Apparently, this needs more discussion.
>
> Of course. I’ve announced what I believe our current state is; if there is serious pushback that has technical merit, we’ll have to revisit it. And as I’ve said many times, I’m open to proposals — especially those that can a) gain consensus b) actually get implemented and c) get approved by the whole IETF community. Haven’t seen any others yet.

How do you judge the technical merit exactly?

Do you believe it's acceptable that the default naming scheme for the 
web ("http") is affected (in that either users keep getting redirected, 
or bookmarks/links will have to change)?

Best regards, Julian

Received on Wednesday, 13 November 2013 13:33:55 UTC