Re: Moving forward on improving HTTP's security

Hi Julian,

On 13 Nov 2013, at 9:33 pm, Julian Reschke <> wrote:

>> As a result, Iím making an informed judgement call, based upon discussions so far and the options available to us. I do not do so lightly, and have been in active consultation with many of those it will affect, as well as IETF leadership. If that call is wrong, Iím confident that the WG will correct it, but again, that is *not* voting.
> Well, your mail makes it sound as if a decision already has been made, and that you're willing to revisit it if the WG pushes back. That's different from making a *proposal*, discuss it over here (and maybe *then* make a decision).

I would put it differently. I see only one viable path forward at this point in time, based upon the myriad constraints we face. If another becomes available, of course we will consider it. 

>> Of course. Iíve announced what I believe our current state is; if there is serious pushback that has technical merit, weíll have to revisit it. And as Iíve said many times, Iím open to proposals ó especially those that can a) gain consensus b) actually get implemented and c) get approved by the whole IETF community. Havenít seen any others yet.
> How do you judge the technical merit exactly?

On a case by case basis. How do you expect me to answer that question? 

> Do you believe it's acceptable that the default naming scheme for the web ("http") is affected (in that either users keep getting redirected, or bookmarks/links will have to change)?

...*if* they want to use the latest version of HTTP, and provided that another mechanism isnít added later. 

I do want to explore this issue; we might need to either layer on opportunistic encryption (which is NOT yet firmly ruled out; weíll evaluate whether itís still needed as we progress), modify our charter, or address it in some other way.


Mark Nottingham

Received on Wednesday, 13 November 2013 16:00:16 UTC