Re: A proposal from James M Snell on 2013-11-18 (ietf-http-wg@w3.org from October to December 2013)

From: James M Snell <jasnell@gmail.com>
Date: Sun, 17 Nov 2013 19:09:31 -0800
To: Mark Nottingham <mnot@mnot.net>
Cc: ietf-http-wg@w3.org, Michael Sweet <msweet@apple.com>
Message-ID: <CABP7RbfkYtVoWtu5GwjFpcbh72GRrSbw_BKntp49qGcJUSZ97A@mail.gmail.com>

Well,  from what I've seen in this thread so far, only the idea of a new
url scheme seems unpopular.  The idea of having a dedicated port for
plaintext http/2 has received several mentions of support. Nevertheless,
the proposal was relevant to the conversation so I brought it up again.
Definitely seems like positions haven't changed so I'll go ahead and not
mention it again.
On Nov 17, 2013 6:48 PM, "Mark Nottingham" <mnot@mnot.net> wrote:

> FWIW - James has brought this idea to the WG in the past, and we've failed
> to get any consensus on it. I don't see it gaining any more now.
>
> Regards,
>
>
> On 18/11/2013, at 1:26 PM, Michael Sweet <msweet@apple.com> wrote:
>
> > James,
> >
> > I'm generally -1 on this approach, and I really don't like introducing a
> new URI scheme - we end up partitioning the 'web and make it confusing to
> deploy (how do you explain why https: doesn't need the same treatment and
> http: still works, etc.)
> >
> > I personally think we can make the 2.0 upgrade on http: work over port
> 80 more reliably with broken proxies, but we really need to do more testing
> to actually know whether delaying the upgrade until the client sees an
> Upgrade: header from the server helps (the first request is HTTP/1.1, then
> the following request starts the upgrade...)
> >
> >
> > On Nov 17, 2013, at 1:08 PM, James M Snell <jasnell@gmail.com> wrote:
> >
> >> The volume on the other threads on the security subject is causing far
> too much noise. I have a proposal that offers a compromise approach. I
> posted about this partially in one of the threads but I'm afraid it got
> lost in the noise. Others have touched on the same basic idea:
> >>
> >> 1. By default, assign plain text http/2 to a new port.
> >> 2. Document that plaintext http/2 can be sent over port 80 but document
> the various possible issues with reliability.
> >> 3. Strongly recommend that http/2 be sent over TLS instead of plaintext.
> >> 4. Establish a new http2 URL protocol prefix for plaintext http2 over
> the new default port
> >>
> >> This does several things.
> >>
> >> A. It makes plaintext http/2 possible but significantly harder. Some.
> Would argue that makes plaintext http/2 "undeployable"... The same people
> who have argued that have also argued that plaintext http/2 should not be
> used at all. Therefore, those people really do not lose anything by
> following this approach.
> >>
> >> B. It makes http/2 over TLS the default for the public internet since
> that's the only option that would be broadly deployable on today's
> infrastructure.
> >>
> >> C. It makes it less likely that we would have to deal with the upgrade
> dance on port 80. Which is a good thing. Http:// URLs would always mean
> http/1.x. Http2://example:80 would mean http/2 over port 80.
> >>
> >> D. Developers would be forced to make a conscious choice to use
> plaintext http/2 over an established default port. There's zero ambiguity.
> >>
> >> The folks who are arguing for TLS only really lose nothing with this
> approach. It still, over course, does nothing about the mitm issues on port
> 443, but its a start.
> >>
> >> - James
> >>
> >>
> >
> > _________________________________________________________
> > Michael Sweet, Senior Printing System Engineer, PWG Chair
> >
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>

Received on Monday, 18 November 2013 03:09:59 UTC