W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: http://tools.ietf.org/html/draft-nottingham-httpbis-alt-svc as a normative reference in http/2

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 20 Mar 2014 15:16:18 +0000
Message-ID: <532B0642.7060103@cs.tcd.ie>
To: "William Chan (陈智昌)" <willchan@chromium.org>, Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>

On 03/20/2014 02:39 AM, William Chan (陈智昌) wrote:
>  If everyone else says they believe that the working group
> consensus indeed is to document http:// over TLS in the core HTTP/2 spec,

With no hats, I'd like to be on the record as saying that
documenting how to do http:// URIs via TLS as part of HTTP/2.0
would be a really good thing to do. Especially in the light
of recent reports of cleartext HTTP being used to trigger
other attacks. And defining that at the same time as we are
defining HTTP/2.0 seems like the perfect time to me. (Adding
it later would be far less good IMO.)

I don't have a very strong position about which 2119 keywords
are used to talk about whether that MAY, SHOULD or MUST be
implemented or used, but one could argue that both BCP 61 and
the new perpass-attack BCP will be far more clearly satisfied
the more that feature is implemented. The main thing for me
however is that it be well-defined now so that those who want
to use that feature can do so and get interop and be in a
position to mitigate attacks such as those referred to above
without requiring changes to web content.

And yes, I do get that this is not entirely a slam-dunk, but
from the discussion I've heard and the evidence that it can
be done from Patrick and I think Will, it seems to me that
defining how to do it ought not be something that'd add
significant (or any) delay.

Received on Thursday, 20 March 2014 15:16:45 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:25 UTC