W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 13 Sep 2012 21:02:18 +1000
Cc: Eric Rescorla <ekr@rtfm.com>, "Adrien W. de Croy" <adrien@qbik.com>, Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <0DC7F811-B516-414D-B51F-1C1F2006AF45@mnot.net>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>

On 13/09/2012, at 3:49 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:

> In message <53FE12F6-33BE-4731-8E20-72A79496EB80@mnot.net>, Mark Nottingham wri
> tes:
> 
>> Should we state that the HTTPS URI scheme implies end-to-end security 
>> (i.e., between the user-agent and the origin server)?
> 
> Given the current hostile actions in the certificate-space, I think such
> a statement should be footnoted with something like:
> 
> 	Please notice that "end" in this context merely means "where
> 	the SSL/TLS session terminates".  Only proper handling and
> 	examination of the involved cryptographic keys can provide
> 	assurance that the other "end" is where it claims to be.
> 

HTTPS isn't specific to TLS -- that's just one way to provide the semantics of the scheme. 

What you're saying is more like implementation notes -- useful, but probably doesn't belong in the spec.

Cheers,


--
Mark Nottingham   http://www.mnot.net/
Received on Thursday, 13 September 2012 11:02:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 September 2012 11:02:58 GMT