W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: HTTP/2.0 goal: polcy enforcement

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 25 Mar 2012 17:46:57 -0700
Message-ID: <CAJE5ia_s4ZRy5MH8cO0QSxCkE51zO=Kem5jWcWq4B5G0QOoDSw@mail.gmail.com>
To: "Adrien W. de Croy" <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Don't these intermediaries need to support TLS anyway to enforce an
acceptable use policy on HTTPS traffic?

It's widely believed that encouraging the use of TLS will improve
security on the web.  Encouraging the use of TLS with HTTP/2.0 would
seem to be a net benefit to the world.

Adam


On Sun, Mar 25, 2012 at 1:24 PM, Adrien W. de Croy <adrien@qbik.com> wrote:
> Hi all
>
> I think there's a goal that hasn't been stated for HTTP/2.0.  The ability to
> control and enforce acceptable use policy, as practised by countless
> enterprises.
>
> Currently, HTTP is open enough that such control can be implemented.  HTTPS
> poses several problems wrt this aim.
>
> This requirement is real, and is not going to go away.
>
> Adopting an SSL/TLS only option for any replacement protocol makes life
> difficult for
>
> a) proxy vendors (have to code MITM software)
> b) their customers (have to deploy certificates to make MITM work)
>
> For this reason alone I don't see SPDY in its current form as a viable
> successor to HTTP.
>
> Since I believe the main reason to adopt TLS for SPDY was to enable "out of
> band" negotiation of which protocol was going to be used, then we would
> require another method for this.
>
> Proxies are an important part of HTTP infrastructure, and wanted by
> customers.  Developing a successor to HTTP/1.1 without enabling reliable /
> simple proxy function would be a huge mistake IMO.
>
> Willy / Amos, I'm keen to see what you guys come up with.
>
> Adrien
>
>
Received on Monday, 26 March 2012 00:48:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:57 GMT