- From: Jeff Pinner <jpinner@twitter.com>
- Date: Tue, 25 Feb 2014 18:35:08 -0800
- To: Peter Lepeska <bizzbyster@gmail.com>
- Cc: Ryan Hamilton <rch@google.com>, Roland Zink <roland@zinks.de>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CA+pLO_iWNoj7Z5P1s7uNtSSWEpsKcqmZ3AKSEE__3NidNbQJPg@mail.gmail.com>
Currently, "http" and "https" conflate the browser security model with the transport security model. The "https" browser security model might not be acceptable for certain resources even if the transport security model is preferable. On Tue, Feb 25, 2014 at 5:09 PM, Peter Lepeska <bizzbyster@gmail.com> wrote: > Hi Salvatore, > > As you know, I'm all for new proposals that support both Secure Proxy and > Trusted Proxy. So thanks for writing and posting this. I'm struggling to > understanding how http URIs over TLS work as described in your draft. My > main question is: > > If the content server supports authenticated TLS, then why isn't the > content just hosted via "https"-schemed URIs? What is the reason that the > content server would make this content available via http schemes? > > Thanks, > > Peter > > > > > > > On Tue, Feb 25, 2014 at 10:31 AM, Ryan Hamilton <rch@google.com> wrote: > >> I think that Will is supportive of secure proxies as he said upthread: >> >> Let's be clear, these are two different things. There's "secure proxy" >> which is securing the connection between the proxy and the client. I'm >> supportive of standardizing this. >> >> >> Chrome currently supports specifying such proxies via pac files: >> >> http://www.chromium.org/developers/design-documents/secure-web-proxy >> >> >> Cheers, >> >> Ryan >> >> >> On Tue, Feb 25, 2014 at 1:40 AM, Roland Zink <roland@zinks.de> wrote: >> >>> On 24.02.2014 22:25, William Chan (ιζΊζ) wrote: >>> >>>> I've asked this before, and I still think it's a reasonable question. >>>> Is there another vendor that wants to interop with this kind of proxy? >>>> I'm asking this because I think that the purpose of standardizing such >>>> a proposal is for interoperability across vendors, and I don't see the >>>> point if the only implementations are Ericsson. But I may be >>>> misunderstanding IETF policy here. >>>> >>> There are other implementations of "secure proxies" like Chrome on >>> Android can use a Google proxy. Why should a user trust the Google proxy >>> more than a proxy from <insert your favorite mobile network operator>? An >>> interoperability would be good. >>> >>> >>> >> >
Received on Wednesday, 26 February 2014 02:35:36 UTC