On Sat, Aug 16, 2014 at 02:21:18AM +0000, l.wood@xxxxxxxxxxxx wrote: > I'd like to see this draft discuss http early on - redirecting any http > request to https (via 301/302/303/307 redirection) for login pages etc. > is transparent, opportunistic, and easy to do, and a widespread example > that gets the opportunistic idea across; I've explained this to Stephen > previously. OS should be applied to HTTP, but there may be enough to discuss there that we'd never finish with this I-D if we had to deal with it now. But yes, HTTP w/ OS is something we'll definitely want. At the most basic level if a server advertises TLSA RRs in DNS, verifiable with DNSSEC. Then HTTP clients that support OS should (MUST!) use HTTPS for all HTTP requests to such a server. The tricky issue is: how can users and hypermedia authors denote "no fallback to cleartext" -- adding a new URI scheme is the first thought that comes to mind about that, but it seems likely not to be that simple. Admittedly a "no fallback to cleartext" indication may prove unnecessary: eventually support for unauthenticated encryption may reach a large enough proportion of servers that clients can begin disabling fallback to cleartext. But you see my concern: it's too soon to tell whether we'll need to do anything about indicating no fallbackto cleartext. Nico --