- From: Adrien de Croy <adrien@qbik.com>
- Date: Thu, 12 Dec 2013 08:22:46 +0000
- To: "Mark Nottingham" <mnot@mnot.net>, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
- Cc: "Roberto Peon" <grmocg@gmail.com>, "HTTP Working Group" <ietf-http-wg@w3.org>
------ Original Message ------
From: "Mark Nottingham" <mnot@mnot.net>
>
>What I don't want to do is spend months-to-years developing a new kind
>of explicit proxy in HTTP in the *hope* that it'll somehow magically
>supplant these devices, without some sort of evidence that it has a
>chance of doing so.
>
I'm getting the feeling we're doing just this when it comes to HTTP/2.
About 80% of the posts on the list here seem to be based on the foregone
conclusion that HTTP/2 will be over TLS only, and that therefore ALPN
will be available.
But last time I looked we were a long way from consensus on HTTP/2 being
over TLS only. Or did I miss something?
So what's the plan?
Seems dangerous to do all this work based on something that is still
highly contentious without first reaching some conclusions first about
mandatory TLS.
And also for the record.
Most of my customers would have a big problem with the proposal that
connections to the ("trusted") proxy should be over TLS.
For many of them the proxy is already working the hardware quite hard
(either old hardware or high-end). To reduce capacity by 75% or more
just by making everything TLS would mean they would all need to go get
new or extra hardware for their proxy. I foresee a lot of resistance to
this.
I don't see why the client needs to auth the proxy inside a private
network.
>
Received on Thursday, 12 December 2013 08:22:55 UTC