- From: Albert Lunde <atlunde@panix.com>
- Date: Sat, 07 Dec 2013 08:25:47 -0600
- To: HTTP Working Group <ietf-http-wg@w3.org>
Is there any useful role for having a physical file format and file extension that says "here is a proxy's address and TLS certificate", such that if one imported it into a browser it would be trusted? I can see how this could be a security risk via spoofing, but it might cut out some of the protocol/user interface dance in getting a trusted proxy established, by providing an out-of-band way to communicate the trust requirements in a given setting. Signing the file as a whole seems like a good idea, but I'd rather have plain text and one or more base-64 blobs than a pure binary format that would be easier use to hide an executable. I am assuming typical users would double click on the file to process it, even though that is frequently a bad idea.
Received on Saturday, 7 December 2013 14:26:03 UTC