- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 29 Jul 2014 09:23:48 -0700
- To: "emile.stephan@orange.com" <emile.stephan@orange.com>
- Cc: "Mark Nottingham (mnot@mnot.net)" <mnot@mnot.net>, "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
On 29 July 2014 08:46, <emile.stephan@orange.com> wrote: > Currently a mobile client can already OppSec connect to performance proxies > (Google DCP and Opera cases were discussing in meeting) hosted on the > Internet, but one at a time. This isn't really opportunistic; these proxies are typically configured based on a name or a certificate fingerprint. That's a different proposition that what we're talking about here. That said, I think that we need to examine the trade-offs when we talk about securing proxy communications. With HTTP/2 to the proxy, we can use ALTSVC frames (though not Alt-Svc header fields) to enable opportunistic security if we are very careful. But it might be easier on balance to simply say that the proxy is configured to use an TLS connection that is authenticated against a specific name. e.g., rather than saying the proxy is at http://proxy.orange.com, say that it is at https://proxy.orange.com
Received on Tuesday, 29 July 2014 16:24:15 UTC