Re: Semantics of HTTPS

I think that the parentheses need to disappear:

HTTPS URI scheme implies end-to-end security between the user-agent and the
origin server

End-to-end is meaningless unless the specific ends are specified. From a
security point of view the ends that actually matter are usually people and
organizations rather than machines.

I am not sure that the term user-agent is right though since we use HTTPS
for Web Services that have no users involved and I am not sure how the
qualifier origin helps on the server. By definition a server is a

On Thu, Sep 13, 2012 at 1:06 AM, Mark Nottingham <> wrote:

> I haven't seen any more discussion of this.
> Being that both the TLS WG Chair and at least one security AD have both
> unambiguously said that it should be considered an e2e protocol (please
> correct if I'm wrong), we return to the original question --
> Should we state that the HTTPS URI scheme implies end-to-end security
> (i.e., between the user-agent and the origin server)?
> Regards,
> On 26/08/2012, at 11:51 AM, Eric Rescorla <> wrote:
> > On Mon, Aug 6, 2012 at 3:39 PM, Adrien W. de Croy <>
> wrote:
> >> Anyone here from the TLS WG able to comment on whether there are plans
> to
> >> combat MITM in this respect?  It's interesting to see the comment about
> >> recent TLS WG rejection of support for inspection.
> >
> > As TLS WG Chair:
> > 1. As Stephen says, the TLS WG saw a presentation about explicit support
> > for proxies and there was very little support in the room for that idea.
> This
> > isn't to say that some future version of this idea would not be accepted,
> > but there are no current plans in this area.
> >
> > 2. RFC 2818 was a TLS WG item, so any updates to that would really need
> > to be done by the TLS WG.
> >
> > -Ekr
> --
> Mark Nottingham


Received on Thursday, 13 September 2012 11:40:53 UTC