- From: James M Snell <jasnell@gmail.com>
- Date: Sun, 17 Nov 2013 11:40:26 -0800
- To: Patrick McManus <pmcmanus@mozilla.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CABP7RbeFgHYpSLunBd0PLf6_xaqBTKYzVh8m4Jzw=fds7X6iow@mail.gmail.com>
Then don't. This approach does not require you to do anything you don't want to do. It just says that if you want plaintext http/2 you can have it. On a different default port and a few other moderately difficult hurdles. If, however, you want to deploy on the open Web, the secure approach is more reliable and less painful and is likely what you should do instead. On Nov 17, 2013 11:34 AM, "Patrick McManus" <pmcmanus@mozilla.com> wrote: > > > > On Sun, Nov 17, 2013 at 1:08 PM, James M Snell <jasnell@gmail.com> wrote: > >> The volume on the other threads on the security subject is causing far >> too much noise. I have a proposal that offers a compromise approach. I >> posted about this partially in one of the threads but I'm afraid it got >> lost in the noise. Others have touched on the same basic idea: >> >> 1. By default, assign plain text http/2 to a new port. >> 2. Document that plaintext http/2 can be sent over port 80 but document >> the various possible issues with reliability. >> 3. Strongly recommend that http/2 be sent over TLS instead of plaintext. >> 4. Establish a new http2 URL protocol prefix for plaintext http2 over the >> new default port >> >> I will not deploy another cleartext protocol. Especially another one > where the choice of encryption is solely made by the server. It doesn't > serve my user base, or imo the web. > > -P > > > >> >
Received on Sunday, 17 November 2013 19:40:53 UTC