W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 6 Aug 2012 17:14:00 -0500
Cc: Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <11237AD8-5651-4325-9BE6-F94A2404AD6E@mnot.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
On 06/08/2012, at 5:12 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

>>    Proxy Connection for HTTPS :
>>        [ ] proxy may inspect contents fetched over HTTPS  (GET https://)
>>            except for those sites : _______________
> 
> Does that whitelisting approach break TLS client auth and channel
> binding? I guess we'd need to see a draft to know but regardless of
> the fact that those are not very widely used, re-defining https
> like this in a way that breaks those features seems like a bad
> plan.
> 
>>        [ ] proxy may not inspect contents fetched over HTTPS  (CONNECT)
> 
> With what default? I'd bet there are many wrinkles here. What about
> use of SNI in TLS to select between hosts?
> 
> Really, I think your proposal doesn't work out in the end. I also
> understand why you propose it, but suspect that like many such
> proposals there are many more problems than are apparent at first.

At first glance, it seems like HSTS would need to be extended to cover the new possibilities…

Cheers,

--
Mark Nottingham
http://www.mnot.net/
Received on Monday, 6 August 2012 22:14:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 6 August 2012 22:14:30 GMT