On Fri, Apr 24, 2015 at 08:05:43PM -0700, Mike Perry wrote:
** Sure, there could be a pile of new attribute flags that could be set on every HTML resource tag that says the resource must use a "secure http:" channel if the parent document happened to load over a secure channel, but the net engineering effort of deploying that correctly far exceeds the effort needed to mitigate the namespace fragmentation issues that Tim Berners-Lee is seemingly so concerned about.
But just as, as you point out, it is useful for the linker to be able to say "hard fail if you don't have an _authenticated_ secure channel" ("https://"), even in a world where plain "http://" means "an encrypted but possibly unauthenticated channel", the linker may also want to say things like "hard fail unless the cert is issued by Foo" or "hard fail unless the cert/pubkey has hash abc123" or "hard fail unless it's an EV cert" (for whatever that's worth).
Right now, that "s" means "give an annoying warning if there's not a blessed cert, and hard fail if there's no encryption at all", which is rarely the semantics people actually intend.
With HTTP/2 and Let's Encrypt and Chrome suggesting that the annoying warning will start appearing for all unencrypted sites in the medium future, automated DV certs should soon be the minimum "you have to be this tall to play on this Internet" (mumble servers without names mumble), but it may still be useful to distinguish security levels above the minimum in some cases.
- Ian