- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 13 Sep 2012 13:50:49 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Eric Rescorla <ekr@rtfm.com>, "Adrien W. de Croy" <adrien@qbik.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Thu, Sep 13, 2012 at 08:59:06PM +1000, Mark Nottingham wrote: > We're getting off track here -- this issue is about the semantics of the > HTTPS scheme, in the context of HTTPbis, not potential future work. OK but it was a proposal to address some people's concern that "https" means "end-to-end" to people while currently at more and more places this is not true anymore. So the idea was to address this specific concern (which is a UI concern in my opinion) by proposing a different scheme in the browser. It looks like it's not a good idea in the end considering some of the points that were made. Going back to https, PHK is right that ends should be clearly defined, at least to the user. In my opinion, https could be end-to-end where one end is the local proxy. All we're dealing with is a matter of trust, which is not a technical thing to debate on but a user choice. If my browser tells me "You asked me to securely connect to this site, but the proxy refuses. I can only securely connect to the proxy which will securely connect to the site, and will be able to see and modify all your exchanges on your behalf. Are you sure you still want to connect?" then I know what I'm going to decide based on which site I want to visit. The technical point is if we permit the secure end to start at the proxy, then we need to ensure that what is announced to the user is what is going to be performed. Regards, Willy
Received on Thursday, 13 September 2012 11:51:30 UTC