> On 22 Sep 2016, at 8:11 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Martin Thomson <martin.thom...@gmail.com> writes:
>> The advantage with deploying a new protocol is that you can be strict. If,
>> for example, all of the browsers implement TLS 1.3 and are strict, then
>> Amazon won't be able to deploy a buggy 1.3 implementation without noticing
>> pretty quickly. You might suggest that that's aspiration to the point of
>> delusion, but in fact it worked out pretty well with HTTP/2 deployment. We
>> didn't squash ALL of the nasty bugs, but we got most of them.
> It also means you're going to be in for a rude shock when you encounter the
> ocean of embedded/SCADA/IoT devices with non-mainstream TLS implementations.
> The reason why HTTP/2 "works" is that it essentially forked HTTP, HTTP/2 for
> Google, Amazon, etc, and the browser vendors, and HTTP 1.1 for everything
> else that uses HTTP as its universal substrate. As a result there will be
> two versions of HTTP in perpetuity, HTTP 1.1 and HTTP-whatever-the-current-
Perhaps. But if at some point all websites use
HTTP-whatever-the-current-version-is then maybe browsers can remove support for
HTTP/1.1 and then your embedded/SCADA/IoT devices won’t give us that rude shock.
I honestly don’t think that having two protocols for these two radically
different use cases is a bad outcome.
TLS mailing list