On 11/14/2013 10:01 PM, Mike Belshe wrote:


   1) Should we be striving for more communications privacy and security in HTTP at all?
You have an opportunity, IMO, to do just one important thing. And that is to specify that all web servers SHOULD allow access to their normally-served pages using an https URL, and that a browser that tries https first should succeed. Of course many servers do this today, we just want something closer to all of them to do so.

If you do that, the browser developers can take things the rest of the way. They can leave https as the preferred method by default and still allow the user some control over that.

   2) Is mandatory security a good step toward that goal?
The problem with mandatory is that some of you seem to believe that you have to produce the entire solution by yourselves. You are not leaving the browser makers an option that they would gladly take if you simply allowed them to do so without requiring it. You are not leaving an option for those cases where it really is appropriate to turn security off. I think you have to enable a solution to the problem, not require it.

   3) Is TLS a good step toward that goal?
TLS works. But the words "transport layer" are a lie. It's an application and presentation layer protocol. It seems to me that it's an interim band-aid for a lower-layer problem. I think you should leave some room for that lower-layer problem to be solved and for HTTP to be used without encyption at a high layer once it is.

TLS is also inappropriate for resource URLs, for example image files and javascript. Caching really should work for those things, and encryption serves no purpose when applied to an immutable public resource.

This is very different from HTTP of yesteryear.  The malware present, the bad actors present, and the volume of users online without strong technical depth have radically changed since HTTP/1.1 was drafted 15 years ago.
Yes, the cost of success.

I am thinking back to why the Tim B-L version of the web was a success when others were not. I think it's because Tim didn't insist that it be an entire solution. Imagine if he'd tried to engineer in a revenue system like Ted Nelson. He would have gotten nowhere. But Tim instead left it to other people to figure out how to make money from the web, and simply gave them sufficient tools to do so. Similarly, you need to give us sufficient tools to have security across all web sites. You don't have to force us to use them.

Hopefully we agree that HTTP should be doing this and can stop debating "but I want my open network for me in my house".  You're an expert.  You can figure something out that you like, no matter what protocol choices we make.
Nope. If tools that I can't control have mandatory encryption there is little that I can do. Regardless of what an expert I am.

And the website operators, they don't know what a given user needs to encrypt/make private/secure either.
I understand about the users not knowing what is appropriate. But what you are saying here is that nobody but you and perhaps your friends on the HTTP protocol team can ever be competent to make this decision or can be trusted to do so. Even people who would reasonably have the responsibility, like web site operators or browser developers, can not be given the chance to act appropriately. You must decide for all of them.

If this were to be the position of the HTTP working group in general, the problem would be solved because nobody would take them seriously.

    Thanks

    Bruce