W3C home > Mailing lists > Public > public-bpwg-comments@w3.org > July to September 2008

Re: Content Transformatnion Guidelines: Last Call Working Draft

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 29 Aug 2008 11:01:32 +0200
To: Dominique Hazael-Massieux <dom@w3.org>, public-bpwg-comments@w3.org
Cc: Mary_Ellen_Zurko@notesdev.ibm.com, public-wsc-wg@w3.org
Message-ID: <20080829090132.GB224@iCoaster.does-not-exist.org>

Dom,

thanks for your request for review.

With respect to the guidelines regarding the rewriting of HTTPS
URIs, we notice that any such rewriting will break any use of TLS
for authenticating the client to the server (e.g., use of TLS client
certificates). Similarly, any applications on top of HTTPS that rely
on TLS channel bindings would detect the proxy's intervention as an
attack, and lead to a broken user experience; see RFC 5056 for more
details about channel bindings.

We recommend that you discuss this aspect with the IETF TLS Working
Group.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>  +33-4-89063488





On 2008-08-05 13:52:01 +0200, Dominique Hazael-Massieux wrote:
> From: Dominique Hazael-Massieux <dom@w3.org>
> To: Mary_Ellen_Zurko@notesdev.ibm.com, tlr <tlr@w3.org>
> Cc: chairs <chairs@w3.org>
> Date: Tue, 05 Aug 2008 13:52:01 +0200
> Subject: Re: Content Transformation Guidelines: Last Call Working Draft
> X-Spam-Level: 
> Organization: W3C
> X-Bogosity: Ham, tests=bogofilter, spamicity=0.395700, version=1.1.6
> 
> Hello Web Security Context WG Chair and Staff Contact,
> 
> We would like to extend our invitation below to review the Content
> Transformation Guidelines to the Web Security Context Working Group, in
> particular on the guidelines regarding the rewriting of HTTPS URIs:
> http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/#sec-https-link-rewriting
> 
> Thanks,
> 
> Dom
> 
> Le vendredi 01 août 2008 à 18:31 +0200, Dominique Hazael-Massieux a
> écrit :
> > The W3C Mobile Web Best Practices Working Group has been developing a
> > set of guidelines for Content Transformation proxies (i.e. non
> > transparent HTTP proxies) to address some of the needs identified in
> > particular on mobile networks.
> > 
> > These guidelines have just been published as a Last Call Working Draft:
> > http://www.w3.org/TR/2008/WD-ct-guidelines-20080801/
> > 
> > The Last Call review period extends until September 16, and we would be
> > grateful if your group could review the document, in particular:
> >  * for the TAG, since the document relates to its issue
> > genericResources-53 and its accompanying finding
> > http://www.w3.org/2001/tag/doc/alternatives-discovery (the BPWG will
> > send comments on that finding next week)
> >  * for the HTML and XHTML2 Working Groups, since the document makes use
> > of the (X)HTML link element to give hints on content transformation
> > proxies
> >  * for the WebApps Working Group, since the document has some provision
> > on specific behavior for XmlHTTPRequest type of requests (as highlighted
> > by one of our own comments on the XmlHTTPRequest spec:
> > http://lists.w3.org/Archives/Public/public-webapi/2008May/0064.html )
> >  * for the HyperText CG, as the official point of liaison with the Open
> > Mobile Alliance which might want to submit a review on the document
> > given its implications on the mobile ecosystem
> > 
> > (the Working Group is also requesting a review from the IETF HTTPBis
> > Working Group [1], and will do as well with targeted mobile web
> > developers communities which have been vocal on that topic).
> > 
> > If your group wants to submit a review but is unable to provide it in
> > that timeframe, please let us know so that we can determine a possible
> > extension of the review period.
> > 
> > Thanks,
> > 
> > Dominique Hazael-Massieux, Staff Contact of the Mobile Web Best
> > Practices Working Group
> > 
> > 1. http://lists.w3.org/Archives/Public/ietf-http-wg/2008JulSep/0213.html
> > 
> 
> 
Received on Friday, 29 August 2008 09:06:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:01:50 UTC