On Sat, Aug 16, 2014 at 02:21:18AM +0000,
l(_dot_)wood(_at_)surrey(_dot_)ac(_dot_)uk wrote:
I'd like to see this draft discuss http early on - redirecting any http
request to https (via 301/302/303/307 redirection) for login pages etc.
is transparent, opportunistic, and easy to do, and a widespread example
that gets the opportunistic idea across; I've explained this to Stephen
previously.
OS should be applied to HTTP, but there may be enough to discuss there
that we'd never finish with this I-D if we had to deal with it now.
But yes, HTTP w/ OS is something we'll definitely want. At the most
basic level if a server advertises TLSA RRs in DNS, verifiable with
DNSSEC. Then HTTP clients that support OS should (MUST!) use HTTPS for
all HTTP requests to such a server.
The tricky issue is: how can users and hypermedia authors denote "no
fallback to cleartext" -- adding a new URI scheme is the first thought
that comes to mind about that, but it seems likely not to be that
simple. Admittedly a "no fallback to cleartext" indication may prove
unnecessary: eventually support for unauthenticated encryption may reach
a large enough proportion of servers that clients can begin disabling
fallback to cleartext. But you see my concern: it's too soon to tell
whether we'll need to do anything about indicating no fallbackto
cleartext.
Nico
--