- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Wed, 12 Feb 2014 10:33:21 +0100
- To: "Mark Nottingham" <mnot@mnot.net>
- Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, "William Chan (陈智昌)" <willchan@chromium.org>, "Peter Lepeska" <bizzbyster@gmail.com>, "Frode Kileng" <frodek@tele.no>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Le Mer 12 février 2014 05:52, Mark Nottingham a écrit : > I think the security properties of that scheme are becoming well > understood, and they are effective within certain bounds. They may not > allow a proxy to "add value", but that isn't a necessary condition for > every new addition to the Web, surely? It's not a case of adding value. It's a case of getting the ecosystem work well. If you add a measure to fight cache poisoning, but forget to take proxy caches into account, you have users, browser authors and site authors complain that "the proxy broke the web site" when its cache gets poisoned because the other actors forgot to inform it of the security hash (and do not forget that some proxies are deployed explicitly to perform such security checks!) After months of lurking on this list I'm firmly convinced that 90% of the angst against proxies is due to forgetting the last mile when writing http specs, and that no proxy writer can provide a better user experience if the other actors continue to dismiss proxy concerns at every opportunity. Regards, -- Nicolas Mailhot
Received on Wednesday, 12 February 2014 09:33:56 UTC