- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Wed, 20 Nov 2013 06:27:52 +0100
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
* Mark Nottingham wrote: >No one has yet proposed that we mandate implementing HTTP/2.0 *without* >TLS yet -- we'll cross that bridge if we come to it. Talking about >"subverting the standards process" is thus WAY too premature. To make this short, permit me to try an analogy. What if Chairs said: To reiterate -- some browser folks have stated that they will not be implementing XYZ for WebRTC in their products, so unless they become convinced otherwise, there will still be a *market* requirement to implement ABC if you want to get the benefit of WebRTC with the broadest selection of clients. Who will argue to make XYZ mandatory-to-implement for WebRTC browsers? If somebody does, and they convince all but those browser folks that XYZ should be mandatory-to-implement, but 80% of deployed web browsers end up not implementing XYZ, then there is no Standards process, just the browser folks doing whatever they want. If nobody does because it's obviously pointless to argue, then there is no Standards process either. And if the browser folks are not convinced, but submit to the Standards process, then there would be no "market requirement" for anything else. Over in the Real-Time Communication in WEB-browsers Working Group the "browser folks" have, as far as I have been able to follow, comitted to the Standards process. I expect no less of them, or others, here. >Please read that as deferring a decision. I'm happy for people to make >proposals and discuss them. What I'm not willing to do is let a general >discussion without focus continue for too long and threaten the rest of >our work. It's quite apparent to me that people are digging in on their >positions and we can't reach consensus that way. I appreciate that. I am very interested in the threat model, knowing what we should protect. I am extremely concerned that users might be- come unable to audit what their "user agents" send and receive over the wire if we mandate encryption of HTTP traffic without safeguards. My suggestion is to work on problem statements before we decide on solutions. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Wednesday, 20 November 2013 05:28:26 UTC