Re: SSL/TLS everywhere fail

On 4 Dec 2015, at 9:49 pm, Cory Benfield <cory@lukasa.co.uk> wrote:
> 
> However, I want to point out that *this working group* has, to my knowledge, never enacted any requirement that could be referred to as mandating, or even particularly encouraging, TLS-everywhere. RFC 7540, the most recent product from this group, quite expressly allows for plaintext HTTP/2: it even specifies how to negotiate and use it. That support exists in the wild, today: my implementations can do plaintext HTTP/2, several of the server implementations can do it, and I’ve used it on the open web myself.

Correct.

> As I understand it, your objection is not with *this working group*, it is with specific implementations (and possibly their representatives on this working group). Browsers and servers choose to restrict themselves to TLS-transports: the products of this WG do not mandate it. As a result, I believe a large chunk of the content in this thread is off-topic for this WG, and strictly on-topic for the mailing lists of implementations that implement only encrypted H2. I encourage those with concerns to take them to those implementations directly, rather than hoping that their concerns will filter through from representatives on this list.

Indeed. For those who might wonder, I'm not stopping this thread because it's interesting and germane to the use of HTTP, and because right now (i.e. over the last few days), we're in a bit of a lull, so it's not distracting from other work.

Cheers,


--
Mark Nottingham   https://www.mnot.net/

Received on Saturday, 5 December 2015 00:22:46 UTC