Re: A proposal from Roy T. Fielding on 2013-11-17 (ietf-http-wg@w3.org from October to December 2013)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Sun, 17 Nov 2013 15:27:17 -0800
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1376A2EA-CCD7-447E-826F-912F61948F7E@gbiv.com>

On Nov 17, 2013, at 1:09 PM, Poul-Henning Kamp wrote:

> In message <CACuKZqHKjpvgu=TOGsG6FVKtVnJnom1pn8FnuWit9XraW-JM-w@mail.gmail.com>
> , Zhong Yu writes:
> 
>> If a URL is http://something, it better means that the document can be
>> retrieved by HTTP/1 on clear TCP. If that assumption is broken, a lot
>> of software will be broken.
> 
> No, it means "fetch this with HTTP", it doesn't say "HTTP/1" anywhere
> and if the user-agent determines that it can be fetched better with
> HTTP/2 on port 100, then that's just fine.

The URI scheme defines a name resolution mapping.  "http", in particular,
defines a mapping to a hypothetical HTTP server listening to the default
(or given) TCP port.  That server is authoritative for the remaining URI
bits.

The scheme does not mean "fetch"; GET does, which is a method constructed
based on context found outside the URI.

The scheme does not mean "use HTTP"; the tools a user chooses to make
use of the Internet determine what protocols to use, corresponding to
which schemes, and may or may not intend to do so through network access
to an authoritative server.  "http" URIs can and do "work" when a user
agent has no network access.

Security is a systemic issue, not a protocol issue.  There is nothing
secure about TLS or encryption.  There are merely some use cases in
which the data crossing the wire can be made confidential to a given
set of key holders, preferably controlled by the entity to which the
user intends to communicate in confidence.  That level of confidentiality
is sufficient for many commerce use cases.  It does not provide privacy.

Anyone who thinks adding TLS to plain HTTP will improve security,
let alone privacy, needs to learn how TLS gets its security.
Encryption is not magic pixie dust.

For HTTP, the scheme identifies an authority. A user trusts their
user agent to retrieve somewhat authoritative responses. If a user
agent can obtain reasonably authoritative responses via other
means, then it can use those other means instead of the default
means defined by the scheme, regardless of the scheme.

....Roy

Received on Sunday, 17 November 2013 23:27:41 UTC