On 11/14/2013 10:01 PM, Mike Belshe
You have an opportunity, IMO, to do just one important thing. And
that is to specify that all web servers SHOULD allow access to their
normally-served pages using an https URL, and that a browser that
tries https first should succeed. Of course many servers do this
today, we just want something closer to all of them to do
If you do that, the browser developers can take things the rest of
the way. They can leave https as the preferred method by default and
still allow the user some control over that.
The problem with mandatory is that some of you seem to believe that
you have to produce the entire solution by yourselves. You are not
leaving the browser makers an option that they would gladly take if
you simply allowed them to do so without requiring it. You are not
leaving an option for those cases where it really is appropriate to
turn security off. I think you have to enable a solution to the
problem, not require it.
TLS works. But the words "transport layer" are a lie. It's an
application and presentation layer protocol. It seems to me that
it's an interim band-aid for a lower-layer problem. I think you
should leave some room for that lower-layer problem to be solved and
for HTTP to be used without encyption at a high layer once it is.
TLS is also inappropriate for resource URLs, for example image files
encryption serves no purpose when applied to an immutable public
Yes, the cost of success.
I am thinking back to why the Tim B-L version of the web was a
success when others were not. I think it's because Tim didn't insist
that it be an entire solution. Imagine if he'd tried to engineer in
a revenue system like Ted Nelson. He would have gotten nowhere. But
Tim instead left it to other people to figure out how to make money
from the web, and simply gave them sufficient tools to do so.
Similarly, you need to give us sufficient tools to have security
across all web sites. You don't have to force us to use them.
Nope. If tools that I can't control have mandatory encryption there
is little that I can do. Regardless of what an expert I am.
I understand about the users not knowing what is appropriate. But
what you are saying here is that nobody but you and perhaps your
friends on the HTTP protocol team can ever be competent to make this
decision or can be trusted to do so. Even people who would
reasonably have the responsibility, like web site operators or
browser developers, can not be given the chance to act
appropriately. You must decide for all of them.
If this were to be the position of the HTTP working group in
general, the problem would be solved because nobody would take them