- From: FOSSATI, Thomas (Thomas) <thomas.fossati@alcatel-lucent.com>
- Date: Wed, 1 Oct 2014 15:00:41 +0000
- To: Martin Thomson <martin.thomson@gmail.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
Hi Martin, On 30/09/2014 21:34, "Martin Thomson" <martin.thomson@gmail.com> wrote: >On 30 September 2014 13:25, FOSSATI, Thomas (Thomas) ><thomas.fossati@alcatel-lucent.com> wrote: >> true for https resources. But I can't find any explicit reference to >>https in 9.2 (and subsections), therefore I was inferring that those >>requirements also apply to opp-sec use of TLS? > >Would you like to make an argument for integrity-only for >opportunistic security? I can't imagine any argument that I'd find >compelling, but am always willing to be surprised. I was thinking more generally at uses of the H2/TLS combo to access http (as opposed to https) resources. One specific use case that I have in mind is making sure that the forward proxy whose name I have discovered via some mechanism (e.g. Markıs WPD) is the same as the one Iım actually connected to. I can get from TLS all the properties that I need - i.e. identification via proxy's certificate, and channel integrity from the negotiated key - without encryption. Cheers
Received on Wednesday, 1 October 2014 15:01:11 UTC