Re: A proposal from Mark Nottingham on 2013-11-18 (ietf-http-wg@w3.org from October to December 2013)

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 18 Nov 2013 13:48:47 +1100
To: Michael Sweet <msweet@apple.com>
Cc: James M Snell <jasnell@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <591D11B0-1DF0-4F38-A62C-90B77CFD2DF3@mnot.net>

FWIW - James has brought this idea to the WG in the past, and we've failed to get any consensus on it. I don't see it gaining any more now.

Regards,


On 18/11/2013, at 1:26 PM, Michael Sweet <msweet@apple.com> wrote:

> James,
> 
> I'm generally -1 on this approach, and I really don't like introducing a new URI scheme - we end up partitioning the 'web and make it confusing to deploy (how do you explain why https: doesn't need the same treatment and http: still works, etc.)
> 
> I personally think we can make the 2.0 upgrade on http: work over port 80 more reliably with broken proxies, but we really need to do more testing to actually know whether delaying the upgrade until the client sees an Upgrade: header from the server helps (the first request is HTTP/1.1, then the following request starts the upgrade...)
> 
> 
> On Nov 17, 2013, at 1:08 PM, James M Snell <jasnell@gmail.com> wrote:
> 
>> The volume on the other threads on the security subject is causing far too much noise. I have a proposal that offers a compromise approach. I posted about this partially in one of the threads but I'm afraid it got lost in the noise. Others have touched on the same basic idea:
>> 
>> 1. By default, assign plain text http/2 to a new port.
>> 2. Document that plaintext http/2 can be sent over port 80 but document the various possible issues with reliability.
>> 3. Strongly recommend that http/2 be sent over TLS instead of plaintext.
>> 4. Establish a new http2 URL protocol prefix for plaintext http2 over the new default port
>> 
>> This does several things.
>> 
>> A. It makes plaintext http/2 possible but significantly harder. Some. Would argue that makes plaintext http/2 "undeployable"... The same people who have argued that have also argued that plaintext http/2 should not be used at all. Therefore, those people really do not lose anything by following this approach.
>> 
>> B. It makes http/2 over TLS the default for the public internet since that's the only option that would be broadly deployable on today's infrastructure.
>> 
>> C. It makes it less likely that we would have to deal with the upgrade dance on port 80. Which is a good thing. Http:// URLs would always mean http/1.x. Http2://example:80 would mean http/2 over port 80.
>> 
>> D. Developers would be forced to make a conscious choice to use plaintext http/2 over an established default port. There's zero ambiguity.
>> 
>> The folks who are arguing for TLS only really lose nothing with this approach. It still, over course, does nothing about the mitm issues on port 443, but its a start. 
>> 
>> - James
>> 
>> 
> 
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
> 

--
Mark Nottingham   http://www.mnot.net/

Received on Monday, 18 November 2013 02:49:09 UTC