Re: 2 questions

On 29 March 2015 at 00:43, Glen <glen.84@gmail.com> wrote:

> Hi,
>
> I have 2 questions, if I may.
>
> 1. What were the reasons for HTTP/2 not requiring TLS?
>
> [...]
>
>
> It would be nice if the web was just "secure by default", and I would have
> thought that now would be the right time to move in that direction.
>
>
It's worth remembering that HTTP also exists outside the web. I know this
is the *I*ETF, and we're specifying *internet* standards, but it behooves
us to think outside the big grey cloud if we can do something that benefits
the entire worldly computer community, even those parts not on the open
net/web -- especially when it's a protocol as big as HTTP.

I'd rather not run TLS on my firewalled/airgapped home network when there's
no real reason, especially if that required an insecure cert to be
firm-coded into the web server in my intelligent switch, or my printer, or
my smart-fridge (if I had one of those). The counter-argument was that I
could just use HTTP/1 there, but that's either lame ("H2 isn't as useful as
HTTP/1") or snobbish ("you're not good enough to use H2"), depending on how
you interpret it. It would also disappoint me if I were to take part in the
WG and help (in a small way) to define this awesome new protocol, and even
work on my own implementation, only to discover that I couldn't use it in
some circumstances.

And on costs: I'm personally not keen on paying extra (ongoing) for my web
hosting to have a unique IP address, and then pay every year for a SAN
certificate for my vhosts (I'd need to cover both foo.net and www.foo.net
at the least).

Those were my main motivations for pushing back. And as others have said,
there are other ways to get "secure by default" than requiring "TLS
everywhere."

​Cheers
-- 
  Matthew Kerwin
  http://matthew.kerwin.net.au/