Re: "Secure" proxies for HTTP URIs [was: new version trusted-proxy20 draft] from Salvatore Loreto on 2014-02-24 (ietf-http-wg@w3.org from January to March 2014)

From: Salvatore Loreto <salvatore.loreto@ericsson.com>
Date: Mon, 24 Feb 2014 13:47:52 +0000
To: Patrick McManus <pmcmanus@mozilla.com>
CC: William Chan (陈智昌) <willchan@chromium.org>, "Mark Nottingham" <mnot@mnot.net>, Peter Lepeska <bizzbyster@gmail.com>, "Paul Hoffman" <paul.hoffman@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <16C7E57D-B019-4750-BB48-FFA22195F3E7@ericsson.com>

On Feb 24, 2014, at 2:56 PM, Patrick McManus <pmcmanus@mozilla.com<mailto:pmcmanus@mozilla.com>> wrote:

I don't think there is anything to block http/2 on other than noting proxy connections over tls is a perfectly sensible thing to do.

it is a perfectly and sensible thing to do!
but noting just that maybe it is a little to vague as the spec would not say anything about how
the proxy would be discovered and/or configured.

The one thing I did wonder about was whether an http/2 ua<>proxy connection doing https:// to a http/2 server should make 1 connect per transaction or 1 connect and then multiplex its transactions on that  single stream. (I decided on 1 connect because it minimizes the tls handshakes, but you can argue that multiple connects allow you to better represent priorities and windows through the proxy, etc..)

my preference is on multiple connects (i.e. one for origin server) in order to better represent priorities and windows thru the proxy

Personally I think this is an implementation choice and doesn't need standards language, but reasonable folks may disagree.

to be honest, I don't know if I disagree or not… let me think about it

/Salvatore

On Mon, Feb 24, 2014 at 1:41 AM, William Chan (陈智昌) <willchan@chromium.org<mailto:willchan@chromium.org>> wrote:
On Sun, Feb 23, 2014 at 10:37 PM, Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>> wrote:
>
> On 24 Feb 2014, at 5:35 pm, William Chan (陈智昌) <willchan@chromium.org<mailto:willchan@chromium.org>> wrote:
>
>> I don't think that there's anything HTTP/2 specific about "secure" proxies.
>
> That's kind of what I'm getting at...

Apologies, I clearly missed that sentence later in your email :) I'm
going to blame it on my cold.

>
>> Should we decouple it and just standardize it separately from HTTP/2 (although I think it's likely that the HTTP/2 spec may want to reference it)?
>
> Well, my point was that I wasn't even sure it's something "we" need to do (i.e., this WG). What actually would need to be written down?

Uh, good point. I dunno :)

>
> Cheers,
>
> --
> Mark Nottingham   http://www.mnot.net/

>
>
>

Received on Monday, 24 February 2014 13:48:16 UTC