- From: Thomas Fossati <TFossati@velocix.com>
- Date: Wed, 19 Feb 2014 21:24:50 +0000
- To: William Chan (陈智昌) <willchan@chromium.org>
- CC: Patrick McManus <pmcmanus@mozilla.com>, Salvatore Loreto <salvatore.loreto@ericsson.com>, HTTP Working Group <ietf-http-wg@w3.org>, "draft-loreto-httpbis-trusted-proxy20@tools.ietf.org" <draft-loreto-httpbis-trusted-proxy20@tools.ietf.org>, GUS BOURG <gb3635@att.com>
On 19/02/2014 07:37, "William Chan (陈智昌)" <willchan@chromium.org> wrote: >That said, I still agree >with Patrick that there doesn't seem any reason to allow >differentiation of http vs https traffic. If the user agent and origin >agree to put http traffic over a user-agent<=>origin TLS connection, >then they should be allowed to do so without having to mark it via >ALPN. As far as I understand, the browser could just decide to use h2 for everything and thus opt-out completely. The h2clr flag is a hint that the user agent can give to the network. It allows an on-path proxy to jump in, provide strong identity proof, and (if explicitly allowed) MITM the user’s http requests sent over HTTP/2.0+TLS. Thus, under user consent, the cache/inspection/whatever function for non-https traffic that used to work with cleartext HTTP/1.x is re-enabled. Win-win? Cheers
Received on Wednesday, 19 February 2014 21:25:24 UTC