Re: ID for Immutable from Patrick McManus on 2016-10-28 (ietf-http-wg@w3.org from October to December 2016)

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Fri, 28 Oct 2016 13:21:57 -0400
To: Alex Rousskov <rousskov@measurement-factory.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Patrick McManus <pmcmanus@mozilla.com>
Message-ID: <CAOdDvNqTabR3zpRgjJVkBPdBVcOboCbG=5b6x+mKauwB1-w=Pw@mail.gmail.com>

I do believe the lack of integrity protection in plaintext transfer is an
important security consideration for immutable that suggests they should
not be used together. I'm open to other wording on it for sure.. https://
might be sufficient here.





On Fri, Oct 28, 2016 at 12:50 PM, Alex Rousskov <
rousskov@measurement-factory.com> wrote:

> On 10/26/2016 03:02 PM, Patrick McManus wrote:
>
> >    o  Clients should ignore immutable for resources that are not part of
> >       a secure context [SECURECONTEXTS].
>
> Please think of the children^H^H^H^H proxies. AFAICT, "secure contexts"
> are currently a user agent concept. If the above "should" is meant to be
> a "SHOULD", then the draft automatically disqualifies most proxies from
> legally utilizing this promising "ignore reload" mechanism.
>
>
> Thank you,
>
> Alex.
>
>

Received on Friday, 28 October 2016 17:22:26 UTC