- From: Roberto Peon <grmocg@gmail.com>
- Date: Tue, 3 Apr 2012 00:17:02 -0700
- To: patrick mcmanus <pmcmanus@mozilla.com>
- Cc: ietf-http-wg@w3.org
- Message-ID: <CAP+FsNeBXtpnJhYC0uMO=LwSH3JR-kKDp45me_sW1nNz=6CbDg@mail.gmail.com>
On Mon, Apr 2, 2012 at 4:21 PM, patrick mcmanus <pmcmanus@mozilla.com>wrote: > On 4/2/2012 7:11 PM, Adrien W. de Croy wrote: > >> >> So providing explicit support would make life a fair bit easier. I'm >> pretty sure everyone who wrote MITM was holding their nose at the time. >> > > ++yes, and we could probably also provide a mechanism for signing content > e2e so the end user can still verify with the normal pki whether or not the > integrity assertion of the resources match the host in the uris. > Yup, that was also what I was saying before. That would also allow the first request to tell the UA what the site's policy for subsequent (i.e. allow MITM or not) would or could be. I'm agreed on the rest a well.. -=R > I'm as firm on TLS-everywhere as anyone, but I recognize in some > situations the user will need to consent to a non e2e version. Informed > consent with reasonable granularity (Will's mention that CONNECT or > block-me is still appropriate for a subset of things) is critical here, as > is the elimination of passive attacks. That is still a massive win for > privacy. The framework for consent needs work, and things like wpad > probably need a new looking over. Undeniably hard stuff. > > We've got time for all of that if we're pointed in roughly the same > direction. > -P > > > > > >
Received on Tuesday, 3 April 2012 07:17:36 UTC