W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Re: Getting to Last Call

From: Roy T. Fielding <fielding@gbiv.com>
Date: Thu, 29 Dec 2011 19:55:41 -0800
Cc: Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>, Peter Saint-Andre <stpeter@stpeter.im>, Adrien de Croy <adrien@qbik.com>
Message-Id: <FC537A08-4983-4F6A-B626-281FAA694A39@gbiv.com>
To: Mark Nottingham <mnot@mnot.net>
On Dec 29, 2011, at 4:44 PM, Mark Nottingham wrote:

> SHOULD affects conformance. At most, I think we'd add something to the security considerations saying that proxies "ought to" or "are encouraged to."

FWIW, I consider it to be a security hole for any user agent
to automatically change the configured proxy authority.  If
the user/org wants to connect via TLS, then the user/org should
configure the proxy with an https URI.  There is no guarantee
that a proxy on port 443 is controlled by the same org as the
one on port 80.

OTOH, the spec already allows communication on port 80 to be
Upgraded to TLS.  No changes are necessary to support that.

....Roy
Received on Friday, 30 December 2011 03:56:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:51 GMT