- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Tue, 29 Jul 2014 23:30:41 +1200
- To: ietf-http-wg@w3.org
On 29/07/2014 6:38 p.m., Mark Nottingham wrote: > <https://github.com/httpwg/http-extensions/issues/9> > > We discussed this issue in Toronto, and the sense of the room there was to close this issue with no action, since there are a lot of different scenarios for how a client uses a proxy, as well as different kinds of proxies which might cause clients to do different things. > > Any more discussion? If I am understanding the term "OppSec" correctly (does it still match the millitary meaning?) then the administrators OPSEC policy itself should be detailing these things, not HTTP spec. All HTTP spec has to do is provide flexibility in access (CONNECT, Upgrade, ALPN, Alt-Svc - good) and security operations (TLS, nothing, home-grown message signatures - reasonable) which the policy selects from. The onus is largely on implementations to retain interoperability when such a policy prohibits or mandates certain traffic usage (within HTTP spec). For example Chrome by rejecting CONNECT+Upgrade and plain-text HTTP/2 has effectively omitted itself from several OpSec policy groups which require open and/or recorded traffic within a network. The jail and school controlled-network scenarios being the most well-known of these. Amos
Received on Tuesday, 29 July 2014 11:31:16 UTC