W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Thu, 13 Sep 2012 07:40:26 -0400
Message-ID: <CAMm+LwjUzwFjuMEGwm-JTdfFEpH6U=LBGjta8Gy6uLUETLOaMA@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Eric Rescorla <ekr@rtfm.com>, "Adrien W. de Croy" <adrien@qbik.com>, Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
I think that the parentheses need to disappear:

HTTPS URI scheme implies end-to-end security between the user-agent and the
origin server

End-to-end is meaningless unless the specific ends are specified. From a
security point of view the ends that actually matter are usually people and
organizations rather than machines.


I am not sure that the term user-agent is right though since we use HTTPS
for Web Services that have no users involved and I am not sure how the
qualifier origin helps on the server. By definition a server is a
destination.


On Thu, Sep 13, 2012 at 1:06 AM, Mark Nottingham <mnot@mnot.net> wrote:

> I haven't seen any more discussion of this.
>
> Being that both the TLS WG Chair and at least one security AD have both
> unambiguously said that it should be considered an e2e protocol (please
> correct if I'm wrong), we return to the original question --
>
> Should we state that the HTTPS URI scheme implies end-to-end security
> (i.e., between the user-agent and the origin server)?
>
> Regards,
>
>
> On 26/08/2012, at 11:51 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
> > On Mon, Aug 6, 2012 at 3:39 PM, Adrien W. de Croy <adrien@qbik.com>
> wrote:
> >> Anyone here from the TLS WG able to comment on whether there are plans
> to
> >> combat MITM in this respect?  It's interesting to see the comment about
> >> recent TLS WG rejection of support for inspection.
> >
> > As TLS WG Chair:
> > 1. As Stephen says, the TLS WG saw a presentation about explicit support
> > for proxies and there was very little support in the room for that idea.
> This
> > isn't to say that some future version of this idea would not be accepted,
> > but there are no current plans in this area.
> >
> > 2. RFC 2818 was a TLS WG item, so any updates to that would really need
> > to be done by the TLS WG.
> >
> > -Ekr
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>
>


-- 
Website: http://hallambaker.com/
Received on Thursday, 13 September 2012 11:40:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 September 2012 11:41:00 GMT