- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 20 Mar 2014 15:16:18 +0000
- To: "William Chan (陈智昌)" <willchan@chromium.org>, Mark Nottingham <mnot@mnot.net>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 03/20/2014 02:39 AM, William Chan (陈智昌) wrote: > If everyone else says they believe that the working group > consensus indeed is to document http:// over TLS in the core HTTP/2 spec, With no hats, I'd like to be on the record as saying that documenting how to do http:// URIs via TLS as part of HTTP/2.0 would be a really good thing to do. Especially in the light of recent reports of cleartext HTTP being used to trigger other attacks. And defining that at the same time as we are defining HTTP/2.0 seems like the perfect time to me. (Adding it later would be far less good IMO.) I don't have a very strong position about which 2119 keywords are used to talk about whether that MAY, SHOULD or MUST be implemented or used, but one could argue that both BCP 61 and the new perpass-attack BCP will be far more clearly satisfied the more that feature is implemented. The main thing for me however is that it be well-defined now so that those who want to use that feature can do so and get interop and be in a position to mitigate attacks such as those referred to above without requiring changes to web content. And yes, I do get that this is not entirely a slam-dunk, but from the discussion I've heard and the evidence that it can be done from Patrick and I think Will, it seems to me that defining how to do it ought not be something that'd add significant (or any) delay. S.
Received on Thursday, 20 March 2014 15:16:45 UTC