Re: Getting to Last Call

Hi Amos,

On Thu, Dec 15, 2011 at 08:42:21PM +1300, Amos Jeffries wrote:
> I'm wavering between "please, please, please!", and "What can HTTPbis do 
> about it?".

Simply suggest that proxies SHOULD support it and that UAs SHOULD use it.

> In Squid we have supported SSL/TLS negotiation on incoming sockets for 
> some years now.

Glad to know, but we're still waiting for UAs to use it !

> For us it is simply a matter of the UA adding TLS on its 
> connections. AFAIK, only two UA have implemented it in all these years.

I've not even identified them :-(

> So what can HTTPbis do beyond what is already done in part 1 section 2.7.2 ?

Encourage its use by default ?

Also, decide whether proxies should perform https request on behalf of UAs
when they emit "https://" proxy requests. This would :
  - permit proxies to filter inappropriate requests (important in schools
    where you don't want you kids to visit adult sites)
  - make it possible to disable use of the CONNECT method which right
    now is a big security issue (I'm even regularly using it to SSH outside)
  - make it possible for content filtering proxies to filter responses
  - all of this without emitting fake certificates.

> Better wording would perhapse be:
>   Unlike the "http" scheme, responses to "https" identified requests
>   default to "private" and thus MUST NOT be reused for shared caching
>   unless the "public" cache control is sent to indicate otherwise.

I agree this would help a lot !

Best regards,

Received on Thursday, 15 December 2011 08:11:03 UTC