- From: Mark Nottingham <mnot@mnot.net>
- Date: Mon, 6 Aug 2012 17:14:00 -0500
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Cc: Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 06/08/2012, at 5:12 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: >> Proxy Connection for HTTPS : >> [ ] proxy may inspect contents fetched over HTTPS (GET https://) >> except for those sites : _______________ > > Does that whitelisting approach break TLS client auth and channel > binding? I guess we'd need to see a draft to know but regardless of > the fact that those are not very widely used, re-defining https > like this in a way that breaks those features seems like a bad > plan. > >> [ ] proxy may not inspect contents fetched over HTTPS (CONNECT) > > With what default? I'd bet there are many wrinkles here. What about > use of SNI in TLS to select between hosts? > > Really, I think your proposal doesn't work out in the end. I also > understand why you propose it, but suspect that like many such > proposals there are many more problems than are apparent at first. At first glance, it seems like HSTS would need to be extended to cover the new possibilities… Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Monday, 6 August 2012 22:14:24 UTC