- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 13 Sep 2012 18:52:37 +1000
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Cc: Willy Tarreau <w@1wt.eu>, Eric Rescorla <ekr@rtfm.com>, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 13/09/2012, at 6:30 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hi Willy, > > On 09/13/2012 06:47 AM, Willy Tarreau wrote: >> Hi Mark, >> >> On Thu, Sep 13, 2012 at 03:06:24PM +1000, Mark Nottingham wrote: >>> I haven't seen any more discussion of this. >>> >>> Being that both the TLS WG Chair and at least one security AD have both >>> unambiguously said that it should be considered an e2e protocol (please >>> correct if I'm wrong), we return to the original question -- >>> >>> Should we state that the HTTPS URI scheme implies end-to-end security (i.e., >>> between the user-agent and the origin server)? >> >> I have thought a bit about the arguments made in favor of this and my >> opinion has evolved on the subject. I think that we should probably keep >> the https scheme as "end-to-end" so that the user is sure about this, >> but in this case we'd need another scheme for the https from proxy to > > Do you mean another URI scheme? > > That might be a way forward since it'd allow both ends (UA, site) > some choice in whether they'd allow middlebox snooping. I really think a new scheme is a non-starter here... -- Mark Nottingham http://www.mnot.net/
Received on Thursday, 13 September 2012 08:53:07 UTC