- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Thu, 22 Jan 2015 17:50:46 +1300
- To: ietf-http-wg@w3.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 22/01/2015 12:11 p.m., Martin Thomson wrote: > On 21 January 2015 at 14:34, Adrien de Croy <adrien@qbik.com> > wrote: >> So there's room for ambiguity around whether the next layer >> (after CONNECT) is TLS or not. Or do we rely on the identifier >> also indicating it is over TLS, in which case what if there are 2 >> TLS layers? > > I get your point. My understanding, and what is written down, > were indeed quite different. > > Does this help? > > https://github.com/httpwg/http-extensions/commit/7e2e57a48c21be2b68f856b41095800620fc1a20 > > http://httpwg.github.io/http-extensions/tunnel-protocol.html#rfc.section.1 > (when Travis catches up) > No, Consider that under the new scheme the label for HTTPS tunnels would say "HTTP/1.1" to indicate that an HTTP/1.1 compliant proxy "does not understand nor implement the tunneled protocol". The client intent is to tunnel TLS to keep the stuff inside secure. It is not appropriate for the HTTP upper layers to expose those intended-private details for all the world to read. IMO, just indicate TLS as the next layer after CONNECT and have that layers ALPN (or not) indicate the nested next-layer. If the intermediary is capable of peeking at the TLS ALPN value it can do so itself. That also resolves security and logistical issues with keeping the two ALPN tags in-sync. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUwIGlAAoJELJo5wb/XPRjbLUIAKEwlIVSVfrTnjnmKMzR+i2c v/x+Qrxsw1Hc5HIHSPqSamcW86MWsKjf872Ay5kLbjzbye5XRVIxJX8ltteImfH4 ft9gSEAnIIaeqXcHW7yAE4M+M8x67ShXz2ErvmUEHh38hoybsBYqNVKkGEVg4oEU u6Siuljxjtj4NmhRP8hMTLYf6vT01LOwY9g7gZ3EGf5k0vk+6yTF9qBNxKji9RHF qF6a+/hK15l9YVJejk4KI1w3Jp4xy0Vw0hwJQux+nnbn4D/dW5CE3myIy345xDts ZJhZsKAcRg+JEoRGIMGze6Of5lBIlmtgxs8nhuSalwve+G/grguWb83DDeykWx4= =UNbp -----END PGP SIGNATURE-----
Received on Thursday, 22 January 2015 04:51:32 UTC