Re: IAB Statement on Internet Confidentiality

> On 14 Nov 2014, at 2:27 am, Matthew Kerwin <matthew@kerwin.net.au> wrote:
> 
> This leaps out at me:
> 
>> There are protocols which may as a result
>> require encryption on the Internet even
>> when it would not be a requirement for that
>> protocol operating in isolation.
>> 
> 
> I just want to confirm that the http/2 protocol we're developing is
> intended for both the open internet and operation "in isolation.”

Speaking off the cuff — this is the IETF, we develop Internet protocols. While it’s true that by nature many Internet protocols are useful without being connected to the Internet, I don’t see that being a significant constraint of how we design or document them.

The applicable part of our charter is:

“””
The resulting specification(s) are expected to meet these goals for common existing deployments of HTTP; in particular, Web browsing (desktop and mobile), non-browsers ("HTTP APIs"), Web serving (at a variety of scales), and intermediation (by proxies, corporate firewalls, "reverse" proxies and Content Delivery Networks).
“””

This heavily implies internetworked systems (including clients and servers “behind the firewall”).

At any rate — because of where we’re at in the HTTP/2 discussion, we’re not going to reopen the debate based upon what we think the IESG *might* do; rather, we’ll wait until they actually do it (i.e., DISCUSS and return the document to us), if they actually do it.


> This missive makes me wonder if we shouldn't start working on that
> "deployment guidelines" document that's been mentioned from time to
> time, to try and have something published at the same time as h2 that
> says, "always use https/tls on the open web.”

Yes, we might go there. 



--
Mark Nottingham   http://www.mnot.net/

Received on Sunday, 16 November 2014 01:12:27 UTC