W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 14 Nov 2013 12:18:54 +0100
To: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Cc: Rob Trace <Rob.Trace@microsoft.com>, Michael Sweet <msweet@apple.com>, Mike Belshe <mike@belshe.com>, Tao Effect <contact@taoeffect.com>, Tim Bray <tbray@textuality.com>, James M Snell <jasnell@gmail.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20131114111854.GD5817@1wt.eu>
Hello Martin,

On Thu, Nov 14, 2013 at 07:49:17PM +0900, "Martin J. Dürst" wrote:
> >And so what ? It's not a problem. Some browsers will likely implement
> >it at least with a config option that's disabled by default, and these
> >browsers will be the ones picked by developers during their tests,
> >because developers pick the browser that makes their life easier.
> Sorry I wasn't clear enough. What I meant was: Does it make sense, as 
> Mark proposed at the start of this thread, to rely on browsers to not 
> implement HTTP 2.0 over the clear, if one of the major browser makers is 
> already saying they won't follow?

He didn't propose this, he proposed that it's not *used* by default, which
is very different. I think this is what could drive TLS adoption up the
most reasonable way without making it a blind requirement with all the
downsides that can be expectd.

> Of course for you or me that's not a problem because we are not strongly 
> insisting on HTTP 2.0 over TLS only.

You know, I'm for not deciding for others what's best for them. Engineers
design and propose, users adopt, and the most suited design wins (and
rarely the best).

Received on Thursday, 14 November 2013 11:19:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:19 UTC