W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Testing W3C's HTTPS setup

From: Eric Mill <eric@konklone.com>
Date: Mon, 21 Sep 2015 13:53:01 -0400
Message-ID: <CANBOYLWYbJayk-78Gv0d_F1oz0YCZkFK4pcxBXU6TQ9dMKvAWw@mail.gmail.com>
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>, Jose Kahan <jose.kahan@w3.org>, Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Sep 21, 2015 at 1:33 PM, Richard Barnes <rbarnes@mozilla.com> wrote:

>
>
> On Mon, Sep 21, 2015 at 1:29 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
>
>> On Mon, Sep 21, 2015 at 2:06 PM, Mike West <mkwst@google.com> wrote:
>> > On Mon, Sep 21, 2015 at 1:48 PM, Jose Kahan <jose.kahan@w3.org> wrote:
>> >> We need a solution that will allow to assume all content is https,
>> >> in perpetuity, without needing to upgrade all legacy content.
>> >
>> > That seems like an unfortunate design decision. I hope you'll change
>> your
>> > mind over time. :)
>>
>> Why?
>>
>> The header makes the two types of content identical. User agents not
>> implementing the header will be considered broken in due course, just
>> like user agents not supporting the Host header are today.
>>
>> I really don't think we should give folks the impression that one is
>> better than the other long term, or worse, that the header might go
>> away. That just harms adoption.
>>
>
> +1
>
> Once we're in a world where we can apply a "universal HSTS" policy,
> there's no reason to continue hating on "http:" URIs.
>

Sure, but that world is a long ways away, much longer than the W3C should
wait to start demonstrating leadership with HTTPS/HSTS on w3.org.

-- Eric


>
>
>>
>>
>> --
>> https://annevankesteren.nl/
>>
>>
>


-- 
konklone.com | @konklone <https://twitter.com/konklone>
Received on Monday, 21 September 2015 17:54:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC