Re: HTTP/2 and Pervasive Monitoring

Brian Smith <brian@briansmith.org> Fri, 15 August 2014 18:35 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 170D01A00FE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 11:35:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.948
X-Spam-Level:
X-Spam-Status: No, score=-6.948 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jNmVx5Zas7nf for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 Aug 2014 11:35:19 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C38C21A00CD for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 Aug 2014 11:35:19 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XIMIZ-0003CK-LZ for ietf-http-wg-dist@listhub.w3.org; Fri, 15 Aug 2014 18:32:23 +0000
Resent-Date: Fri, 15 Aug 2014 18:32:23 +0000
Resent-Message-Id: <E1XIMIZ-0003CK-LZ@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <brian@briansmith.org>) id 1XIMIK-0003BX-Ag for ietf-http-wg@listhub.w3.org; Fri, 15 Aug 2014 18:32:08 +0000
Received: from mail-qg0-f51.google.com ([209.85.192.51]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <brian@briansmith.org>) id 1XIMIJ-0000nt-LS for ietf-http-wg@w3.org; Fri, 15 Aug 2014 18:32:08 +0000
Received: by mail-qg0-f51.google.com with SMTP id a108so2481147qge.24 for <ietf-http-wg@w3.org>; Fri, 15 Aug 2014 11:31:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=r6tdNw2IuRyKYjXo5TfofzW/rj9WJiIwxnxE+q6wRdc=; b=NOzix9ktBf7rpbEaPpANjiLfeQNmfKcm43h99QcFCPY34R3Hwu8sMcvGPMsCxnrCRr bkROKt8a8WhRK99/g5Pmkhr4srQStKzNCjIi/14xPsZUtTFqjRkGAy9GsMt3cyROPu8R O9g40aj6yk1a+dUK8obz2ZKbMhQGjAvIyx+TFfbnA2pHWh7k89RVvBlVgg2XvCxElNmO Y1K3jSWvYdpDMaFHBQ7wI/+UiinMvmp0GLOIf5VR04K7J0B9kP1aFRFKJN8+63Xbb4GB GjcUM+mT9QNSZ7szMEdRsQ+DM6kdXL0bOgFLR/gBQePYyD6m6TCDpEM8rCaADSuA5oG6 eGDw==
X-Gm-Message-State: ALoCoQm5lJEisqPs+cC1P1owhtzDlgKCB4wDYjnqYopscwghRgH6mnYXlzUaQb8B7AF6D/3+3ywd
MIME-Version: 1.0
X-Received: by 10.224.65.196 with SMTP id k4mr31117119qai.56.1408127501997; Fri, 15 Aug 2014 11:31:41 -0700 (PDT)
Received: by 10.224.67.133 with HTTP; Fri, 15 Aug 2014 11:31:41 -0700 (PDT)
In-Reply-To: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net>
References: <38BD57DB-98A9-4282-82DD-BB89F11F7C84@mnot.net>
Date: Fri, 15 Aug 2014 11:31:41 -0700
Message-ID: <CAFewVt7OwvOOJpKin_iFyGA7yRZCxbJiFaCH3XTi6-wbvp19tw@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.192.51; envelope-from=brian@briansmith.org; helo=mail-qg0-f51.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.767, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1XIMIJ-0000nt-LS ae9f9a8d08f566e9be5ef0a07aeffc6d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/2 and Pervasive Monitoring
Archived-At: <http://www.w3.org/mid/CAFewVt7OwvOOJpKin_iFyGA7yRZCxbJiFaCH3XTi6-wbvp19tw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26621
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, Aug 14, 2014 at 7:58 PM, Mark Nottingham <mnot@mnot.net> wrote:
> Note that most of the justification for our decision not to require https:// for HTTP/2 seems to be predicated on this part of our charter <http://datatracker.ietf.org/wg/httpbis/charter/>:
>
> "The resulting specification(s) are expected to meet these goals for common existing deployments of HTTP[.]"
>
> ... i.e., we're not able to argue that people who can't use https:// should just stay on HTTP/1.1. This charter text was written before BCP188 (and the incidents leading up to it), but has considerable support in the WG.

In the end, it seems like the working group accepted that there will
be times when implementations must fall back to HTTP/1.1, so isn't the
justification you mention above void now? In particular, see this very
recent thread "Feedback on Fallback" started by Mike Bishop and the
"Over-Version" draft it references:

    http://lists.w3.org/Archives/Public/ietf-http-wg/2014JulSep/1724.html
    http://tools.ietf.org/html/draft-nottingham-http-over-version-00

Consequently, I don't think the shepherd's writeup should say that
requiring authenticated TLS for HTTP/2 was rejected on the grounds
that fallback to HTTP/1.1 is unacceptable, since the group came around
to agreeing that fallback to HTTP/1.1 is indeed a reasonable
compromise sometimes.

Cheers,
Brian