Re: [apps-discuss] Webfinger goals doc
Melvin Carvalho <melvincarvalho@gmail.com> Wed, 28 November 2012 13:58 UTC
Return-Path: <melvincarvalho@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17FC721F8521 for <apps-discuss@ietfa.amsl.com>; Wed, 28 Nov 2012 05:58:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QcL4Cft1f0KN for <apps-discuss@ietfa.amsl.com>; Wed, 28 Nov 2012 05:58:54 -0800 (PST)
Received: from mail-ia0-f172.google.com (mail-ia0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2D05A21F8588 for <apps-discuss@ietf.org>; Wed, 28 Nov 2012 05:58:54 -0800 (PST)
Received: by mail-ia0-f172.google.com with SMTP id j26so10762818iaf.31 for <apps-discuss@ietf.org>; Wed, 28 Nov 2012 05:58:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oBF6Axb4u+4YV6rKAmRaRt7WXq7/95pQPlNYN8UW9/s=; b=I1bbGzn42Kc8tn38kWt2V61gCSjDlCRdGYZQXy0v2gXwl3ST0FHCm3VzavnFqmLQ5S 2jXN4ABBWIH0g6FH1iqwhMykeC/2nertp5VESAia5ym2vtolKLv8XuNawGHlKGpgmvwD KIpmF/mNXwgI0pZfO+3QvNRhg+mrcH7N0Mzlrroubozqqz3N4xdp9DD1tNH80hLe/m88 bjWiw1Bpxc8+isJu63V9LtjaMGp+LYxs/MAe7OntBMQ+VWSdBRyQpV7/WLumKx3CCWLF JELSmbyMtK55I9STIPo//NXzzU5IDBjtKxm6z0nrS3DTZ3FvYAyGqrmvEfOU3jhoWLN3 DQvw==
MIME-Version: 1.0
Received: by 10.50.108.145 with SMTP id hk17mr19179950igb.51.1354111133585; Wed, 28 Nov 2012 05:58:53 -0800 (PST)
Received: by 10.42.61.203 with HTTP; Wed, 28 Nov 2012 05:58:53 -0800 (PST)
In-Reply-To: <D8BB8A99-35C2-4686-943E-3F858455F1BE@ve7jtb.com>
References: <CAAkTpCqF501qxi31B80GGpyF6xaadd=Dz+ScFC3r42u5w8gQCQ@mail.gmail.com> <34D9A216-BD72-4F79-B9F4-6F626A80AB4B@gmail.com> <070001cdcd43$304ba860$90e2f920$@packetizer.com> <7D3AEFBF-345F-4D8C-8BE3-0002372595B5@josephholsten.com> <D8BB8A99-35C2-4686-943E-3F858455F1BE@ve7jtb.com>
Date: Wed, 28 Nov 2012 14:58:53 +0100
Message-ID: <CAKaEYhLaqXY_sUXR7m4aWbuWB6u4Zo7ar3djvBLt7P09jDpqLg@mail.gmail.com>
From: Melvin Carvalho <melvincarvalho@gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="f46d0402a9f31a8f1504cf8e9147"
Cc: webfinger@googlegroups.com, "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] Webfinger goals doc
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2012 13:58:56 -0000
On 28 November 2012 14:50, John Bradley <ve7jtb@ve7jtb.com> wrote: > I agree that TLS will be hard to impossible for many people off their main > domain. That was one of the reasons for having a subdomain so that you > could delegate it via DNS to a server that can support it. > > That idea seems to be dead however. > > The question is if publishing a WF document that can't safely support a > number of protocols is: > a) worth it. > b) may encourage many RP to ignore the TLS requirement for some protocols > and create unmanageable security issues. > > Letting clients do the wrong thing is hard to put back in the box from > experience. > > The safest thing is to only allow the WF service over TLS. > > I know that in opposition to the social linking use case. That is one of > the problems of trying to solve two similar but not the same problems with > one solution. > > This is an important issue and we should close on it one way or the other. > I hate having to have clients try https and fall back to http for some > relations. I see it going very wrong sometimes. > If HTTPS is considered a MUST, could webfinger work in practice with https and a self signed certificate? > > John B. > > > > On 2012-11-28, at 5:41 AM, Joseph Anthony Pasquale Holsten < > joseph@josephholsten.com> wrote: > > > Big folks will have no problem. Privileged folks with vanity domains > like myself will get over it. > > > > The main use case it screws up is delegation, since you can't bootstrap > from a cheap domain. > > > > On 2012-11-28, at 00:34 , "Paul E. Jones" <paulej@packetizer.com> wrote: > > > >> Dick, > >> > >> Here’s my list of reasons why we should not mandate HTTPS: > >> 1) TLS certificates are difficult to deploy by many > >> 2) Many hosting providers do not support TLS because they do not > support the relatively new SNI extensions for TLS (even my own server did > not support SNI until recently and some deployed browsers still do not) > >> 3) TLS certificates cost more money than the domain name. This is a > serious issue for many, especially in developing countries. Few people > support DNSSEC and RFC 6698. If the world supported DNSSEC and people > could create self-signed certificates, TLS could be widely embraced by > everyone, I suspect. > >> 4) If everything I’m sharing via WF is accessible via HTTP, what’s the > point of protecting the WF query with HTTPS? It definitely makes sense for > OpenID or other sensitive services, but not for more “public” applications > like “where’s Paul’s blog” and “where’s Paul’s avatar”? > >> > >> Are there encryption restrictions in some countries that make TLS > illegal? If so, we could add that as reason #5. > >> > >> All that said, I don’t care if it was mandated, but I just don’t see > the reason for it in some instances and I am concerned that it will limit > deployment of the service. > >> > >> If we could get the world to implement DNSSEC and RFC 6698… problems > solved. By the time that is done, SNI issues will be long gone, too. > >> > >> Paul > >> > >> From: apps-discuss-bounces@ietf.org [mailto: > apps-discuss-bounces@ietf.org] On Behalf Of Dick Hardt > >> Sent: Wednesday, November 28, 2012 12:04 AM > >> To: webfinger@googlegroups.com > >> Cc: apps-discuss@ietf.org > >> Subject: Re: [apps-discuss] Webfinger goals doc > >> > >> Let's be brave and say HTTPS-only. > >> > >> Requiring HTTPS enabled OAuth 2.0 to be MUCH simpler than OAuth 1.0 > (yes, a little apples and oranges comparison, but there was a similar > requirement conversation that had the same goal of pushing complexity to > the server from the client -- it also simplifies the security model) > >> > >> -- Dick > >> > >> On Nov 27, 2012, at 6:17 PM, Brad Fitzpatrick <bradfitz@google.com> > wrote: > >> > >> > >> I just had a chat with Blaine after his recent "I'm out!" email. I > don't think he's actually out--- he's been working on WebFinger for as long > as I have and cares a lot about it. I think he was just grumpy about the > process, speed, and confused about goals and decisions. > >> > >> Anyway, we had a very productive conversation on chat and wrote a doc > together to clarify thought processes and decisions: > >> > >> > https://docs.google.com/document/d/1Yr00Tr5d71-E6x7VDtmEaC48SendGWQe7XcY99pjQWs/edit# > >> > >> The doc is open for comments. I'll try to keep the doc edited and > neutral. It outlines requirements (aka goals for webfinger), assumptions, > and decisions with pros & cons for each and what decision was ultimately > made and why. > >> > >> The decisions are I'm sure subject to change, but hopefully not too > much. > >> > >> Let me know what I missed. > >> > >> My apologies if you don't like the document's medium or fluidity, but > it's the tool I have to work with, and better than nothing. If you object > to the fluidity and want something concrete to reply to in email, I've > snapshotted the document to http://goo.gl/fTMC1 but I won't accept > comments or make changes there. Use whatever mechanism you prefer. > >> > >> - Brad > >> > >> > >> Copy of doc for posterity: > >> > >> WebFinger Goals, Assumptions, and Decisions (SNAPSHOT1) > >> > >> aka background reading on understanding the WebFinger spec > >> > >> Requirements > >> > >> > >> • given just a string that looks like “user@host.com”, find a > machine-readable metadata document. > >> • background: since the death of the “finger” protocol > (from which webfinger gets its name), email-looking identifiers like “ > user@host.com” have been write-only: you can email it (maybe, if it > speaks SMTP), but you can’t do any read/discovery operations on it. You > can’t find its supported or preferred protocols, its name, its avatar, its > public key, its identity/social/blog server, etc. > >> • the format of the identifier matters because people > (“regular users”) effortlessly identify with their email addresses, and > already use them for sharing outside (and inside) of social networks > >> • corollary: WebFinger is not about doing > discovery on URLs or URIs or IRIs or XRIs or any other “dorky” identifier. > Webfinger is about doing a discovery (read) operation on something a > non-technical user would write on a napkin or give you on a business card. > >> • clients can be implemented in browsers in JavaScript > >> • corollary: CORS shout-out in spec > >> • corollary: no DNS component > >> • delegation to webfinger-as-a-service by larger providers from > self-hosted or organisational domains is possible (cf. DNS NS records) > >> • latency of updates must be low (unlike DNS) > >> • no service provider (no company) is special-cased. > >> Assumptions > >> > >> > >> • the string “user@host.com” is NOT necessarily an email address, > even though most people today associate it with an email address. > >> • corollary: the “acct:” URI scheme and > draft-ietf-appsawg-acct-uri-01 etc > >> • complexity in specs leads to few and/or poor implementations and > ultimately hinders adoption > >> • corollary: value simplicity wherever possible, even if > it means some things are harder or not possible for some parties. > >> • i.e. we’d rather have a 3 page spec that makes 90% of > people happy rather than a 30 page spec that makes 95% of people happy, > especially if such a smaller spec means a much improved chance of adoption. > >> • obvious, but: optional parts in specs need to be optional for > only one party (client or server) and required for the other. > >> • i.e. there needs to always be an intersection of > features in the spec that both parties support. e.g. can’t have both > clients and servers decide to only speak > >> • there will be more clients than servers > >> • corollary: it should be easier to write/run a client > than a server > >> • few users own their own domain name and will run their own > identity server > >> • … and those that do own their own domain name will > mostly want to delegate management of their webfinger profiles or will know > what they’re doing and therefore don’t need to be catered to. > >> • further assumption: most will be running Wordpress or > some such software already. > >> • corollary: we don’t have to cater to this small audience > much.. they’ll know what they’re doing, or their hosting software will. > >> • should be easy to do both client and server. Ideal solution > balances both (delegation for simpler servers)? > >> • standards MUST be programmer-friendly > >> Decisions > >> > >> > >> • HTTP vs DNS > >> • DNS (SRV, TXT, etc) precludes JavaScript clients (as of > 2006-2012), so rejected. HTTP instead. > >> • JSON vs XML > >> • Per assumption above, we needed to pick at least one as > required. We chose JSON. If both parties advertise (via HTTP headers) > that they prefer XML, that’s fine. JSON is easier for JavaScript clients, > as one advantage. It’s also simpler to read on the page (per the > complexity argument). But both are small arguments and not worth arguing > about. At the end of the day a decision had to be made, and it was. > >> • HTTP-ish (Accept / Link headers, etc) vs well-known path > >> > >> • HTTP-ish is more proper, but viewed as too hard for > servers to route (routing on headers, rather than request paths) and more > importantly too hard for clients to send (setting headers). > >> • well-known URLs (like /favicon.ico) are gross, though. > >> • Decision: use a well-known URL. > >> • We defined RFC 5785 first instead, to make using a > well-known path less offensive. > >> • One HTTP request vs two. > >> • Two requests: clients first fetch /.well-known/host-meta > (to find where to do a webfinger query), then fetch that. > >> • PRO: the host-meta document can be a static > file, which makes delegation to other webfinger service providers easier > for custom domains. > >> • CON: twice the latency, especially for mobile > >> • CON: extra client complexity > >> • One request: clients just do a query immediately to > /.well-known/webfinger, without consulting host-meta. > >> • PRO: half the latency > >> • PRO: less client complexity > >> • CON: service providers may need to reverse-proxy > the query to the right backend. > >> • CON: harder for small domain names with static > webservers to delegate. > >> • Decision: Just one HTTP requests, because we care more > about client simplicity than server simplicity. > >> • HTTPS-only vs HTTPS-recommended > >> • HTTPS-only: > >> • PRO: secure > >> • PRO: simpler for clients (one round-trip) > >> • CON: hard for some servers to setup (config, > certs, etc) > >> • HTTPS-recommended: > >> • CON: added client complexity. But at least good > clients can opportunistically fetch both in parallel and only use HTTP if > they’re feeling trusting, once they see the HTTPS one fails. If HTTPS > succeeds, no added latency. > >> • PRO: easier > >> • Decision: HTTPS-recommended. Clients may choose to only > do HTTPS, as can servers, which means in practice almost all servers will > probably only be HTTPS. > >> • Debate: this seems inconsistent with our policy of > caring about clients and simplicity more than servers. And it seems like a > failure to decide, since we say both are optional for either party, counter > to the assumption above that specs need requirements for either client or > server. > >> • > >> > > > > _______________________________________________ > apps-discuss mailing list > apps-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss >
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Dick Hardt
- Re: [apps-discuss] Webfinger goals doc Mike Jones
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Sandeep Shetty
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Melvin Carvalho
- Re: [apps-discuss] Webfinger goals doc Paul Hoffman
- Re: [apps-discuss] Webfinger goals doc Dick Hardt
- Re: [apps-discuss] Webfinger goals doc Ben Laurie
- [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Phillip Hallam-Baker
- Re: [apps-discuss] Webfinger goals doc Joe Gregorio
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Martin J. Dürst
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Blaine Cook
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Joseph Holsten
- Re: [apps-discuss] Webfinger goals doc Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc Tim Bray
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc John Panzer
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Joseph Anthony Pasquale Holsten
- Re: [apps-discuss] Webfinger goals doc John Panzer
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Joseph Holsten
- Re: [apps-discuss] Webfinger goals doc Dick Hardt
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc William Mills
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] Webfinger goals doc Mike Jones
- Re: [apps-discuss] Webfinger goals doc John Panzer
- Re: [apps-discuss] Webfinger goals doc t.petch
- Re: [apps-discuss] Webfinger goals doc Bob Wyman
- [apps-discuss] R: Webfinger goals doc Goix Laurent Walter
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Breno de Medeiros
- Re: [apps-discuss] Webfinger goals doc Tim Bray
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] Webfinger goals doc Zellyn Hunter
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc Bob Wyman
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] Webfinger goals doc Paul E. Jones
- Re: [apps-discuss] Webfinger goals doc John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP James M Snell
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP James M Snell
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Bob Wyman
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Breno de Medeiros
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Martin Thomson
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Breno de Medeiros
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Blaine Cook
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP William Mills
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Evan Prodromou
- Re: [apps-discuss] Webfinger goals doc Brad Fitzpatrick
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Brad Fitzpatrick
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- [apps-discuss] Options... Re: HTTPS-only vs HTTPS… William Mills
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Mikael Nordfeldth
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Melvin Carvalho
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Brad Fitzpatrick
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Zellyn Hunter
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Panzer
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Dick Hardt
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Paul E. Jones
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Tim Bray
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Martin J. Dürst
- Re: [apps-discuss] Web Finger HTTPS-only vs HTTPS… John Bradley
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Evan Prodromou
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Nico Williams
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP John Panzer
- Re: [apps-discuss] HTTPS-only vs HTTPS-and-HTTP Brad Fitzpatrick