HTTP:// URIs over TLS #315
One of the approaches considered for improving security is opportunistic encryption.
Two variants have been discussed; "relaxed" where server authentication is not checked, and "strict", where it is. In discussion, it appears that there's a preference for just using HTTPS URLs over "strict", but there is still some interest in "relaxed."
There appears to be some implementer interest in this approach, but not yet readiness to implement, so this issue is on hold.
Note that opp encryption might also be applied to HTTP/1.1.
The text was updated successfully, but these errors were encountered:
Notes from Zurich:
HTTP URIs over TLS
a. In-band Hint (header) - optional to use.
b. DNS -- not now.
c. use existing 443 connection for defaulted ports - some interest (esp. in addition to other mechanisms); needs refusal. SETTINGS indicator for support; refusal error code (?)
d. encryption inside HTTP/2 -- no
e. speculative connection -- we will say nothing about this
i. Refusal (you got the endpoint wrong)
ii. implicit shortcut