W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: new version trusted-proxy20 draft

From: Peter Lepeska <bizzbyster@gmail.com>
Date: Wed, 26 Feb 2014 08:10:33 -0500
Message-ID: <CANmPAYHURMsEHzVq=AMVco+8LY_qKPnE0TJjb10Q6jz=MvC+SA@mail.gmail.com>
To: Jeff Pinner <jpinner@twitter.com>
Cc: Ryan Hamilton <rch@google.com>, Roland Zink <roland@zinks.de>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Okay. But currently no "http"-schemed traffic runs over TLS. Do we think
this will account for a significant portion of web traffic in the future?


On Tue, Feb 25, 2014 at 9:35 PM, Jeff Pinner <jpinner@twitter.com> wrote:

> Currently, "http" and "https" conflate the browser security model with the
> transport security model. The "https" browser security model might not be
> acceptable for certain resources even if the transport security model is
> preferable.
>
>
> On Tue, Feb 25, 2014 at 5:09 PM, Peter Lepeska <bizzbyster@gmail.com>wrote:
>
>> Hi Salvatore,
>>
>> As you know, I'm all for new proposals that support both Secure Proxy and
>> Trusted Proxy. So thanks for writing and posting this. I'm struggling to
>> understanding how http URIs over TLS work as described in your draft. My
>> main question is:
>>
>> If the content server supports authenticated TLS, then why isn't the
>> content just hosted via "https"-schemed URIs? What is the reason that the
>> content server would make this content available via http schemes?
>>
>> Thanks,
>>
>> Peter
>>
>>
>>
>>
>>
>>
>> On Tue, Feb 25, 2014 at 10:31 AM, Ryan Hamilton <rch@google.com> wrote:
>>
>>> I think that Will is supportive of secure proxies as he said upthread:
>>>
>>> Let's be clear, these are two different things. There's "secure proxy"
>>> which is securing the connection between the proxy and the client. I'm
>>> supportive of standardizing this.
>>>
>>>
>>> Chrome currently supports specifying such proxies via pac files:
>>>
>>> http://www.chromium.org/developers/design-documents/secure-web-proxy
>>>
>>>
>>> Cheers,
>>>
>>> Ryan
>>>
>>>
>>> On Tue, Feb 25, 2014 at 1:40 AM, Roland Zink <roland@zinks.de> wrote:
>>>
>>>> On 24.02.2014 22:25, William Chan (ι™ˆζ™Ίζ˜Œ) wrote:
>>>>
>>>>> I've asked this before, and I still think it's a reasonable question.
>>>>> Is there another vendor that wants to interop with this kind of proxy?
>>>>> I'm asking this because I think that the purpose of standardizing such
>>>>> a proposal is for interoperability across vendors, and I don't see the
>>>>> point if the only implementations are Ericsson. But I may be
>>>>> misunderstanding IETF policy here.
>>>>>
>>>> There are other implementations of "secure proxies" like Chrome on
>>>> Android can use a Google proxy. Why should a user trust the Google proxy
>>>> more than a proxy from <insert your favorite mobile network operator>? An
>>>> interoperability would be good.
>>>>
>>>>
>>>>
>>>
>>
>
Received on Wednesday, 26 February 2014 13:11:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC