- From: Mark Nottingham <mnot@mnot.net>
- Date: Sat, 24 Dec 2011 08:52:35 -0500
- To: Willy Tarreau <w@1wt.eu>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, Peter Saint-Andre <stpeter@stpeter.im>, Adrien de Croy <adrien@qbik.com>
Hi Willy, This is certainly desirable, but just making it a requirement would make pretty much every proxy non-conformant, so that's a big step. Would it be sufficient to just encourage use / support of HTTPS with proxies? On 15/12/2011, at 1:38 AM, Willy Tarreau wrote: > Hi Mark, > > On Thu, Dec 15, 2011 at 01:01:36PM +1100, Mark Nottingham wrote: >> We're not quite ready for Working Group Last Call, but I do believe it's not far off. So, if you have issues to bring to the Working Group, please do so soon. > > Mid-April, we had a discussion with Adrien the suggestion of making UAs > connect to proxies using https instead of http so that we stop the horrors > that are currently performed for authentication in many corporate environments > (you know, redirect to https for auth + set-cookie for the target domain + > redirect again + failure quite often...), and apparently there was no ticket > for this. > > Adrien even suggested the use of "GET https://" instead of CONNECT in > some cases so that filtering proxies can safely inspect the contents. > > Since corporate proxies are a place where HTTP works very badly, I think > we should address these issues before the final release. > > Best regards, > Willy > -- Mark Nottingham http://www.mnot.net/
Received on Saturday, 24 December 2011 13:53:08 UTC