Re: What will incentivize deployment of explicit proxies? from Mark Nottingham on 2013-12-13 (ietf-http-wg@w3.org from October to December 2013)

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 13 Dec 2013 12:15:29 +1100
To: Adrien de Croy <adrien@qbik.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Roberto Peon <grmocg@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <D1BB065C-7D14-4D57-99F0-6BCF61DAE40D@mnot.net>

Adrien,

On 12 Dec 2013, at 7:22 pm, Adrien de Croy <adrien@qbik.com> wrote:
> 
> About 80% of the posts on the list here seem to be based on the foregone conclusion that HTTP/2 will be over TLS only, and that therefore ALPN will be available.
> 
> But last time I looked we were a long way from consensus on HTTP/2 being over TLS only.  Or did I miss something?

This is being tracked at --
  https://github.com/http2/http2-spec/issues/314

A while back, I asked for proposals to address that issue. So far, the only proposal we've had is effectively the status quo -- i.e., not to make anything mandatory.

In particular, no one has yet proposed that TLS be mandatory for HTTP/2.  Some people have stated that their products will only support HTTP/2 when it happens over TLS, but they are not suggesting (so far) that this be written into the specification.

> So what's the plan?

My inclination at this point is to continue to document the different ways to negotiate HTTP/2 (i.e., for both http:// and https:// URLs), and see how the protocol is implemented. If we get rough consensus and have running code, we might include opportunistic encryption for http:// URIs as well (the alt-svc and http2-encryption drafts are just proposals, not yet WG documents). 

Depending on how that goes, we might talk about starting a separate Informational document to track how browsers use HTTP/2 (as opposed to various other use cases for the protocol), in an effort to encourage convergence. Such a document would ideally contain a profile of HTTP/2 that spells how how browser implementations use the protocol; less ideally, it would contain more than one. 

We also might work on other mechanisms (e.g., explicit proxy) in separate documents. 

We'll be talking about all of this as we go along, and especially at the upcoming interim meeting. Implementation (as well as deployment) experience, along with discussion, may give us more insight that makes making decisions easier than it is now.

For now, though, getting consensus on mandatory-to-use TLS seems unlikely, based on the discussion so far (never mind that it hasn't even been proposed formally). 

The wild card in all of this is draft-farrell-perpass-attack. If that document gains IETF consensus, we'll need to demonstrate that we've at least considered pervasive monitoring as a threat, and can explain why we have taken the approach we have.

Regards,

--
Mark Nottingham   http://www.mnot.net/

Received on Friday, 13 December 2013 01:16:00 UTC