Re: "Secure" proxies for HTTP URIs [was: new version trusted-proxy20 draft] from James Cloos on 2014-02-25 (ietf-http-wg@w3.org from January to March 2014)

From: James Cloos <cloos@jhcloos.com>
Date: Mon, 24 Feb 2014 21:58:59 -0500
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: William Chan (陈智昌) <willchan@chromium.org>, Mark Nottingham <mnot@mnot.net>, Salvatore Loreto <salvatore.loreto@ericsson.com>, Peter Lepeska <bizzbyster@gmail.com>, Paul Hoffman <paul.hoffman@gmail.com>, Patrick McManus <pmcmanus@mozilla.com>
Message-ID: <m3ppmbzylv.fsf@carbon.jhcloos.org>

There are only a few things http/2 should say about proxies:

Proxies MAY use http/2 to grab the resources for which clients ask.

Proxies MAY offer http/2 to clients.

Clients seeking https URIs via a proxy MUST use CONNECT and end-to-end tls.

If anyone wants a proxy to cache anything, and also wants to use http/2,
they MUST use http-upgrade (rather than alpn) to specify their preference
for http/2 instead of http/1.

(If anyone has a legal requirement to avoid end-to-end encryption, they
MUST accomplish that by avoiding TLS between client and proxy.  Such
requirements MUST not affect the rest of us.)

-JimC
--
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Received on Tuesday, 25 February 2014 03:02:19 UTC