On Sat, 2013-12-14 at 00:50 +0000, Alyssa Rowan wrote:
[...]we now have TLS tell us whether there's HTTP/1 or HTTP/2
inside.
The I-D doesn't seem to limit this to HTTP/1 or HTTP/2: it's a general
extension, which suggests a general use case.
If HTTP/(1|2) is all it's really intended to be used for at this time,
(your and Martin's response makes me think maybe it is), then perhaps
we SHOULD only use it for that at this time.
I think that would substantially weaken my objection. How would others
feel about that?
I don't see any advantage in your proposal. Why restrict ALPN from
negotiating anything else than HTTP? Currently we _already_ select
protocols in the clear using different service ports. ALPN allows to
negotiate different service even if the port is fixed (e.g. 443). Why do
you think ALPN is worse than what we have already and shouldn't be
allowed to negotiate other services?
I understand however you'd prefer ALPN not be in the clear, but TLS does
_not_ offer any mechanism to conceal anything negotiated during the
handshake. NPN takes the greedy path and hacks the protocol to allow
concealing only the negotiated protocol (the two peers' identities are
still in the clear as well as any other negotiated information). If NPN
is accepted it would certainly make harder designing a clean method that
conceals _all_ negotiated information in next protocol revision (as it
would have to carry the NPN hack).
regards,
Nikos