Re: Yet another trusted proxy suggestion from Paul Hoffman on 2013-11-30 (ietf-http-wg@w3.org from October to December 2013)

From: Paul Hoffman <paul.hoffman@gmail.com>
Date: Sat, 30 Nov 2013 07:54:22 -0800
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Yoav Nir <synp71@live.com>, HTTP Group <ietf-http-wg@w3.org>
Message-ID: <CAPik8ybnZfxNAuHTmDFMwzco_Eo-+ExyJ2cEwO0ef8ytU+vt4Q@mail.gmail.com>

On Fri, Nov 29, 2013 at 1:45 AM, Nicolas Mailhot <
nicolas.mailhot@laposte.net> wrote:

>
> So unless a bank representative states the contrary, all my technical
> experience screams its a non-problem.
>

+1. Stephen's response (that a bank can't currently know if there is a TLS
proxy in HTTP/1.1) ignores what Yoav said, which is that such a bank could
detect that by forcing client auth. Of course they won't do that, but they
of course also won't have to because then they would be forced to not have
internet banking.

Stephen: if you have a real regulation and legal interpretation that we can
look at, we can look at that. "What if someone interprets a law in the way
I want them to because I don't like TLS proxies..." is not a useful
measure.

Received on Saturday, 30 November 2013 15:54:48 UTC