- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 13 Sep 2012 21:02:18 +1000
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Eric Rescorla <ekr@rtfm.com>, "Adrien W. de Croy" <adrien@qbik.com>, Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 13/09/2012, at 3:49 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > In message <53FE12F6-33BE-4731-8E20-72A79496EB80@mnot.net>, Mark Nottingham wri > tes: > >> Should we state that the HTTPS URI scheme implies end-to-end security >> (i.e., between the user-agent and the origin server)? > > Given the current hostile actions in the certificate-space, I think such > a statement should be footnoted with something like: > > Please notice that "end" in this context merely means "where > the SSL/TLS session terminates". Only proper handling and > examination of the involved cryptographic keys can provide > assurance that the other "end" is where it claims to be. > HTTPS isn't specific to TLS -- that's just one way to provide the semantics of the scheme. What you're saying is more like implementation notes -- useful, but probably doesn't belong in the spec. Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Thursday, 13 September 2012 11:02:50 UTC