- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Tue, 1 Oct 2013 11:26:24 +0200
- To: "Stefan Eissing" <stefan.eissing@greenbytes.de>
- Cc: "Mark Nottingham" <mnot@mnot.net>, "ietf-http-wg@w3.org WG" <ietf-http-wg@w3.org>
Le Mar 1 octobre 2013 10:52, Stefan Eissing a écrit : > Mark, > > I like the approach to take the security aspect of the connection out of > the uri. Using the uri scheme to manage resource security is awkward. We > can expect security mechanisms to further evolve in the future and > need to disentangle this from the uri itself. (302-ing all google > resources > works, but seems to indicate something's lacking here.) > > As I was not part of the discussions so far, it may be total nonsense, but > would not a CONNECT against the server be a proper way to negotiate the > security of the connection and perform possible upgrades to TLS or > whatever? Please not unless CONNECT changes drastically from a security point of view. Right now every time an intermediary accepts a CONNECT it makes the same mistake Richelieu made when he gave his full endorsement in writing to Milady (that was ultimately used against both). CONNECT needs to be extinguished not promoted -- Nicolas Mailhot
Received on Tuesday, 1 October 2013 09:26:55 UTC