Re: A proposal from Michael Sweet on 2013-11-18 (ietf-http-wg@w3.org from October to December 2013)

From: Michael Sweet <msweet@apple.com>
Date: Sun, 17 Nov 2013 21:26:55 -0500
To: James M Snell <jasnell@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-id: <8C558BB1-03B5-4A70-B974-920EEC5208C3@apple.com>

James,

I'm generally -1 on this approach, and I really don't like introducing a new URI scheme - we end up partitioning the 'web and make it confusing to deploy (how do you explain why https: doesn't need the same treatment and http: still works, etc.)

I personally think we can make the 2.0 upgrade on http: work over port 80 more reliably with broken proxies, but we really need to do more testing to actually know whether delaying the upgrade until the client sees an Upgrade: header from the server helps (the first request is HTTP/1.1, then the following request starts the upgrade...)


On Nov 17, 2013, at 1:08 PM, James M Snell <jasnell@gmail.com> wrote:

> The volume on the other threads on the security subject is causing far too much noise. I have a proposal that offers a compromise approach. I posted about this partially in one of the threads but I'm afraid it got lost in the noise. Others have touched on the same basic idea:
> 
> 1. By default, assign plain text http/2 to a new port.
> 2. Document that plaintext http/2 can be sent over port 80 but document the various possible issues with reliability.
> 3. Strongly recommend that http/2 be sent over TLS instead of plaintext.
> 4. Establish a new http2 URL protocol prefix for plaintext http2 over the new default port
> 
> This does several things.
> 
> A. It makes plaintext http/2 possible but significantly harder. Some. Would argue that makes plaintext http/2 "undeployable"... The same people who have argued that have also argued that plaintext http/2 should not be used at all. Therefore, those people really do not lose anything by following this approach.
> 
> B. It makes http/2 over TLS the default for the public internet since that's the only option that would be broadly deployable on today's infrastructure.
> 
> C. It makes it less likely that we would have to deal with the upgrade dance on port 80. Which is a good thing. Http:// URLs would always mean http/1.x. Http2://example:80 would mean http/2 over port 80.
> 
> D. Developers would be forced to make a conscious choice to use plaintext http/2 over an established default port. There's zero ambiguity.
> 
> The folks who are arguing for TLS only really lose nothing with this approach. It still, over course, does nothing about the mitm issues on port 443, but its a start. 
> 
> - James
> 
> 

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

Received on Monday, 18 November 2013 02:29:23 UTC