Re: HTTP/2 and Pervasive Monitoring

On Thu, Aug 14, 2014 at 7:58 PM, Mark Nottingham <> wrote:
> Note that most of the justification for our decision not to require https:// for HTTP/2 seems to be predicated on this part of our charter <>:
> "The resulting specification(s) are expected to meet these goals for common existing deployments of HTTP[.]"
> ... i.e., we're not able to argue that people who can't use https:// should just stay on HTTP/1.1. This charter text was written before BCP188 (and the incidents leading up to it), but has considerable support in the WG.

In the end, it seems like the working group accepted that there will
be times when implementations must fall back to HTTP/1.1, so isn't the
justification you mention above void now? In particular, see this very
recent thread "Feedback on Fallback" started by Mike Bishop and the
"Over-Version" draft it references:

Consequently, I don't think the shepherd's writeup should say that
requiring authenticated TLS for HTTP/2 was rejected on the grounds
that fallback to HTTP/1.1 is unacceptable, since the group came around
to agreeing that fallback to HTTP/1.1 is indeed a reasonable
compromise sometimes.


Received on Friday, 15 August 2014 18:32:08 UTC