W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Semantics of HTTPS

From: Carl Wallace <carl@redhoundsoftware.com>
Date: Thu, 13 Sep 2012 08:03:29 -0400
To: Willy Tarreau <w@1wt.eu>, Mark Nottingham <mnot@mnot.net>
CC: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Eric Rescorla <ekr@rtfm.com>, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <CC7742B1.26F87%carl@redhoundsoftware.com>
On 9/13/12 7:50 AM, "Willy Tarreau" <w@1wt.eu> wrote:

>On Thu, Sep 13, 2012 at 08:59:06PM +1000, Mark Nottingham wrote:
>> We're getting off track here -- this issue is about the semantics of the
>> HTTPS scheme, in the context of HTTPbis, not potential future work.
>
>OK but it was a proposal to address some people's concern that "https"
>means "end-to-end" to people while currently at more and more places
>this is not true anymore.
>
>So the idea was to address this specific concern (which is a UI concern
>in my opinion) by proposing a different scheme in the browser.
>
>It looks like it's not a good idea in the end considering some of the
>points that were made.
>
>Going back to https, PHK is right that ends should be clearly defined,
>at least to the user. In my opinion, https could be end-to-end where
>one end is the local proxy. All we're dealing with is a matter of trust,
>which is not a technical thing to debate on but a user choice.

This gets more complicated where mutual auth is employed and the
destination server does not want to authenticate the proxy, i.e. e2e
authentication.  It'd be nice to have a means of allowing a client to
issue a (short lived) proxy certificate to the proxy to use when
authenticating to the destination, enabling the destination server to
authenticate the client by checking the last non-proxy certificate in the
path.  

>
>If my browser tells me "You asked me to securely connect to this site,
>but the proxy refuses. I can only securely connect to the proxy which
>will securely connect to the site, and will be able to see and modify
>all your exchanges on your behalf. Are you sure you still want to
>connect?"
>then I know what I'm going to decide based on which site I want to visit.
>
>The technical point is if we permit the secure end to start at the proxy,
>then we need to ensure that what is announced to the user is what is
>going to be performed.
>
>Regards,
>Willy
>
>
Received on Thursday, 13 September 2012 12:04:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 September 2012 12:04:13 GMT