- From: Kyle Rose <krose@krose.org>
- Date: Fri, 25 Sep 2015 13:24:32 -0400
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Yoav Nir <ynir.ietf@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
> There was strong agreement that this feature would be accompanied by a > prominent and severe admonishment against using it. I definitely want > to talk about what the alternatives look like, but perhaps we should > start a separate thread on that subject. For a variety of reasons, certificate-based browser authentication is not going away, so in light of this I would be very interested in helping formulate a replacement either at the protocol layer or at the application layer with the proper hooks to allow for apps to present a good UI to the user in ambiguous cases. In the meantime, the options presented seem no worse than what we're doing today with HTTP/1.1 and TLS <= 1.2, and clearly better than the alternatives in the sense that they won't require clients to downgrade to 1.1 for what is a "normal" case in a lot of places. Kyle
Received on Friday, 25 September 2015 17:25:03 UTC