Re: A proposal

I suspect when we say "open" internet, we're talking about the "public"
internet, btw.
>From a purely engineering standpoint, we need only to ensure that the
ability to do the "right thing" exists in the protocol by providing for
adequate opt-out or opt-in semantics.
Putting this another way:
The definition of "right thing" varies.
An adequately specified opt-in or opt-out mechanism for encryption allows
for this varied definition.
-=R


On Mon, Nov 18, 2013 at 4:19 AM, Yoav Nir <synp71@live.com> wrote:

> On 18/11/13 1:44 PM, Mark Nottingham wrote:
>
>> On 18 Nov 2013, at 10:18 pm, Yoav Nir <synp71@live.com> wrote:
>>
>>  I think HTTP is used for so many things in so many scenarios, that
>>> trying to give general guidance in the base spec is asking for trouble
>>> (example: when checking certificate revocation, you use HTTP to download
>>> either a CRL or an OCSP response. You can't use authenticated TLS there).
>>>
>> Again, we’re taking about the case of a browser on the “open” Web — the
>> many special cases don’t apply here.
>>
>>  I don't think we'll reach consensus on what is appropriate for the open
> web. But I think de-coupling that discussion from the base document is a
> win. I personally don't think that denying the benefits of HTTP/2 to
> websites that choose not to use encryption is justified. But browser
> support will be determined by market forces, unless the browser vendors
> would like to form a benevolent cartel forcing the correct policy on all
> the web.
>
> BTW: Downloading CRLs or OCSP responses to verify certificates used in
> HTTPS is very much part of the open web.
>
> Yoav
>
>
>