W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Thu, 13 Sep 2012 10:19:28 +0100
Message-ID: <5051A520.7080009@cs.tcd.ie>
To: Mark Nottingham <mnot@mnot.net>
CC: Willy Tarreau <w@1wt.eu>, Eric Rescorla <ekr@rtfm.com>, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>


On 09/13/2012 09:52 AM, Mark Nottingham wrote:
> 
> On 13/09/2012, at 6:30 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
>>
>> Hi Willy,
>>
>> On 09/13/2012 06:47 AM, Willy Tarreau wrote:
>>> Hi Mark,
>>>
>>> On Thu, Sep 13, 2012 at 03:06:24PM +1000, Mark Nottingham wrote:
>>>> I haven't seen any more discussion of this. 
>>>>
>>>> Being that both the TLS WG Chair and at least one security AD have both
>>>> unambiguously said that it should be considered an e2e protocol (please
>>>> correct if I'm wrong), we return to the original question --
>>>>
>>>> Should we state that the HTTPS URI scheme implies end-to-end security (i.e.,
>>>> between the user-agent and the origin server)?
>>>
>>> I have thought a bit about the arguments made in favor of this and my
>>> opinion has evolved on the subject. I think that we should probably keep
>>> the https scheme as "end-to-end" so that the user is sure about this,
>>> but in this case we'd need another scheme for the https from proxy to
>>
>> Do you mean another URI scheme?
>>
>> That might be a way forward since it'd allow both ends (UA, site)
>> some choice in whether they'd allow middlebox snooping.
> 
> 
> I really think a new scheme is a non-starter here...

Tend to agree. That's why Willy's mail confused me.

S.
Received on Thursday, 13 September 2012 09:19:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 September 2012 09:19:57 GMT