- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Fri, 11 Jan 2013 22:03:59 +0000
- To: Eliot Lear <lear@cisco.com>
- cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Ilya Grigorik <ilya@igvita.com>, HTTP Working Group <ietf-http-wg@w3.org>
-------- In message <50F089A4.7070101@cisco.com>, Eliot Lear writes: >How does this differ from what we have today? Today HTTP and HTTPS does not offer the concept of a (grudingly!) trusted proxy: There is no way to have security from your browser to a proxy which implements your companys IT policies, and from that proxy to your banks net-bank service. Either your proxy gives up implementing the policy, and let you connect HTTPS (via CONNECT) end-to-end, or your proxy denies you access, since it cannot implement its policy. The problem is that people have found a workaround for this HTTPs shortcoming: They (make you) install a bogo-certificate on your machine, which terminates your HTTPS on the proxy, so it can implement its policy, and God knows what happens from there... And with that, I'm signing off for tonight. We've dicussed this issue previously, people doubted it happened in the real world, I have now pointed to a news-item that settles that question, and we can each continue our crusades against our respective windmills. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 11 January 2013 22:04:23 UTC