Re: Call for Proposals re: #314 HTTP2 and http:// URIs on the "open" internet from Matthew Kerwin on 2013-11-20 (ietf-http-wg@w3.org from October to December 2013)

From: Matthew Kerwin <matthew@kerwin.net.au>
Date: Wed, 20 Nov 2013 17:30:00 +1000
To: Roberto Peon <grmocg@gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, James M Snell <jasnell@gmail.com>
Message-ID: <CACweHNAx5ePVtSE-iGQCsRKSbVL0VjPb9hy20Vjfny4Eo5dXCQ@mail.gmail.com>

Roberto ritt:
> How about:
> HTTPS schemed URLs MUST be sent on an authenticated TLS channel.
> HTTP schemed URLs MAY be sent as unencrypted HTTP2 plaintext, or may
> be sent over a TLS channel.
>
> If a server does not wish to handle HTTP schemed URLs over a TLS
> channel, it MUST reject these requests with a RST_STREAM or GOAWAY
> with an error code that indicates that the server does not support
> HTTP schemed URLs on port 443.

mnot rote:
> On Nov 19, 2013 8:02 PM, "Mark Nottingham" <mnot@mnot.net> wrote:
> So I'm interpreting this as a two-part proto-proposal --
>
> a) don't constrain the URI scheme for HTTP/2
> b) develop opportunistic encryption of some sort (issue #315).
>
> Is that accurate?

Roberto rate:
> Yup.

3.4 says "servers supporting HTTP/2.0 are required to support protocol
negotiation in TLS for "https" URIs", so I'm not sure if Roberto's first
sentence is required.  I guess there's a *minor* ambiguity there.

If the second and third sentences are part of an opportunistic encryption
mechanism, I'd suggest that means we can resolve #314 by either keeping the
document as-is or possibly adding the clarifying statement above, and move
the rest to #315.

 --
  Matthew Kerwin
  http://matthew.kerwin.net.au/

Received on Wednesday, 20 November 2013 07:30:30 UTC