- From: Yoav Nir <synp71@live.com>
- Date: Mon, 18 Nov 2013 13:18:32 +0200
- To: ietf-http-wg@w3.org
On 18/11/13 5:12 AM, Mark Nottingham wrote: > I can see two possible paths forward: > > * We can continue to say nothing, meaning that at least some implementations will only implement HTTP/2 for https:// URIs, and interop will be determined by the market (read: chaotic). If we keep on spinning our wheels, this is likely where we'll end up; we can't let this issue dominate the rest of our work. > > * We can compromise and agree upon when and where HTTP/2 can be used for http:// URLs (e.g., for .local and RFC1918 addresses, and/or when alternate mechanisms for important aspects of security are layered in, whether that's opportunistic encryption or something else). This is where I think more discussion will help. > > If anyone can suggest another realistic approach, we're listening. > I think HTTP is used for so many things in so many scenarios, that trying to give general guidance in the base spec is asking for trouble (example: when checking certificate revocation, you use HTTP to download either a CRL or an OCSP response. You can't use authenticated TLS there). So I see one additional path forward: * Say nothing in the base spec, but create an additional document targeted for Informational, and called "Recommendations for using HTTP/2 on the web". Even if that document becomes a tar-pit of political discussion, it will allow the base spec to go forward on time. If, however, we really want to standardize a new port for HTTP/2 in the clear (or with opportunistic encryption), that can and should go in the base spec, I think. Yoav
Received on Monday, 18 November 2013 11:19:02 UTC