Re: Semantics of HTTPS

On 13/09/2012, at 6:30 PM, Stephen Farrell <> wrote:

> Hi Willy,
> On 09/13/2012 06:47 AM, Willy Tarreau wrote:
>> Hi Mark,
>> On Thu, Sep 13, 2012 at 03:06:24PM +1000, Mark Nottingham wrote:
>>> I haven't seen any more discussion of this. 
>>> Being that both the TLS WG Chair and at least one security AD have both
>>> unambiguously said that it should be considered an e2e protocol (please
>>> correct if I'm wrong), we return to the original question --
>>> Should we state that the HTTPS URI scheme implies end-to-end security (i.e.,
>>> between the user-agent and the origin server)?
>> I have thought a bit about the arguments made in favor of this and my
>> opinion has evolved on the subject. I think that we should probably keep
>> the https scheme as "end-to-end" so that the user is sure about this,
>> but in this case we'd need another scheme for the https from proxy to
> Do you mean another URI scheme?
> That might be a way forward since it'd allow both ends (UA, site)
> some choice in whether they'd allow middlebox snooping.

I really think a new scheme is a non-starter here...

Mark Nottingham

Received on Thursday, 13 September 2012 08:53:07 UTC