Re: Semantics of HTTPS from Amos Jeffries on 2012-08-06 (ietf-http-wg@w3.org from July to September 2012)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 07 Aug 2012 11:53:24 +1200
To: <ietf-http-wg@w3.org>
Message-ID: <2a157d42125b0e82895df3a187cfef7e@treenet.co.nz>

On 07.08.2012 08:32, Mark Nottingham wrote:
> 
> <https://svn.tools.ietf.org/svn/wg/httpbis/draft-ietf-httpbis/latest/p1-messaging.html#https.uri>
> is slated to define the semantics of HTTPS urls.
>
> We currently talk about HTTPS' impact on caches and identity there,
> but we don't mention one other major effect on HTTP -- the use of
> CONNECT to proxies.
>
> I think we need to define HTTPS as having a semantic of *end-to-end*
> use of SSL/TLS, and therefore CONNECT to proxies.
>
> Make sense?

CONNECT is not end-to-end either and the spec text may have confused 
some people when designing the traffic-light and padlock UI mechanisms. 
It's just a hop compaction over several stages.

  W-X-Y-Z may be CONNECT at W-X, and HTTPS W-Y, with no indication of 
what Y-Z is being used.

Creating a HTTPS trusted connection from location W to trusted proxy Y. 
Trusted by who is the debatable detail.

AYJ

Received on Monday, 6 August 2012 23:53:48 UTC