Re: An HTTP->HTTPS upgrading strawman. (was Re: Upgrade mixed content URLs through HTTP header) from Chris Palmer on 2015-02-05 (public-webappsec@w3.org from February 2015)

From: Chris Palmer <palmer@google.com>
Date: Thu, 5 Feb 2015 13:49:29 -0800
To: Brad Hill <hillbrad@gmail.com>
Cc: Mike West <mkwst@google.com>, Peter Eckersley <pde@eff.org>, Anne van Kesteren <annevk@annevk.nl>, Ryan Sleevi <sleevi@google.com>, "Eduardo' Vela" <evn@google.com>, Wendy Seltzer <wseltzer@w3.org>, Adam Langley <agl@google.com>, WebAppSec WG <public-webappsec@w3.org>, Mark Nottingham <mnot@mnot.net>, Martin Thomson <martin.thomson@gmail.com>
Message-ID: <CAOuvq22wvGovGv+FAErEmSSM4K6TKx8p6v05RoKjKeApzHD5oQ@mail.gmail.com>

On Thu, Feb 5, 2015 at 1:18 PM, Brad Hill <hillbrad@gmail.com> wrote:

> Just FYI, that the websec WG in the IETF is basically in the process of
> being decommissioned, so getting a standards-track RFC number for an updated
> HSTS draft isn't likely to be a quick exercise.

And that is a good thing. Standards should standardize existing
known-to-work practice, not be untried designs (by committee). I
suggest: document any HSTS extensions in Internet-Draft form; get 2
open source implementations, try it out for a while and see if it
works and if people really want it; and then optionally RFC-ify later.

Received on Thursday, 5 February 2015 21:49:56 UTC