- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 20 Nov 2013 15:00:18 +1100
- To: James M Snell <jasnell@gmail.com>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 20/11/2013, at 2:43 PM, James M Snell <jasnell@gmail.com> wrote: > On Tue, Nov 19, 2013 at 7:03 PM, Mark Nottingham <mnot@mnot.net> wrote: >> [snip] >> No one has yet proposed that we mandate implementing HTTP/2.0 *without* TLS yet -- we'll cross that bridge if we come to it. Talking about "subverting the standards process" is thus WAY too premature. >> > > Honestly, I'm close to this, but *only* over a new dedicated port. To > be clear, as an application developer building on top of HTTP/2, I > want to be able, should I so choose, to rely on the ability to use > plain text http/2 and do not want a handful of user-agent developers > to make that decision for me. That said, however, I recognize the > challenges with making plaintext HTTP/2 over port 80 a mandatory to > implement thing, therefore, mandatory to implement over a new > dedicated port would appear to be a reasonable compromise option. I think that, if proposed, it would be even more difficult to get consensus on this than on prohibiting HTTP/2 for http:// URIs. Not only are some implementers against it, but on its own, this would be a step backwards in security -- right now, HTTP/1.1 doesn't require implementation without encryption. Much experience has shown us that MUSTs and SHOULDs are ignored when they're disconnected from implementation needs -- even if those requirements are intended for the greater good. Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Wednesday, 20 November 2013 04:00:36 UTC