- From: James M Snell <jasnell@gmail.com>
- Date: Tue, 19 Nov 2013 20:24:20 -0800
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Nov 19, 2013 at 8:00 PM, Mark Nottingham <mnot@mnot.net> wrote: [snip] > > I think that, if proposed, it would be even more difficult to get consensus on this than on prohibiting HTTP/2 for http:// URIs. Not only are some implementers against it, but on its own, this would be a step backwards in security -- right now, HTTP/1.1 doesn't require implementation without encryption. > Nor does HTTP/1.1 require implementation *with* encryption. Note that by making plaintext on a dedicated port required to implement obviously doesn't make it required to use. That said, if there's no chance of getting consensus around this, then maintaining the current status quo is my second best choice. - James > Much experience has shown us that MUSTs and SHOULDs are ignored when they're disconnected from implementation needs -- even if those requirements are intended for the greater good. > > Cheers, > > -- > Mark Nottingham http://www.mnot.net/ > > >
Received on Wednesday, 20 November 2013 04:25:07 UTC