Re: New tunnel protocol from Martin Thomson on 2015-01-22 (ietf-http-wg@w3.org from January to March 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 22 Jan 2015 09:02:49 -0800
To: Amos Jeffries <squid3@treenet.co.nz>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnU9Tt+KE1WHJRBNGzZHN=2=g4sc7W=yphpSoKF3Ftxo0A@mail.gmail.com>

Or, if you consider what you are doing to be confidential (it usually
isn't), don't include tunnel-protocol. Just like today.
On Jan 21, 2015 8:56 PM, "Amos Jeffries" <squid3@treenet.co.nz> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 22/01/2015 12:11 p.m., Martin Thomson wrote:
> > On 21 January 2015 at 14:34, Adrien de Croy <adrien@qbik.com>
> > wrote:
> >> So there's room for ambiguity around whether the next layer
> >> (after CONNECT) is TLS or not.  Or do we rely on the identifier
> >> also indicating it is over TLS, in which case what if there are 2
> >> TLS layers?
> >
> > I get your point.  My understanding, and what is written down,
> > were indeed quite different.
> >
> > Does this help?
> >
> >
> https://github.com/httpwg/http-extensions/commit/7e2e57a48c21be2b68f856b41095800620fc1a20
> >
> >
> http://httpwg.github.io/http-extensions/tunnel-protocol.html#rfc.section.1
> > (when Travis catches up)
> >
>
> No,
>
> Consider that under the new scheme the label for HTTPS tunnels would
> say "HTTP/1.1" to indicate that an HTTP/1.1 compliant proxy "does not
> understand nor implement the tunneled protocol".
>
> The client intent is to tunnel TLS to keep the stuff inside secure. It
> is not appropriate for the HTTP upper layers to expose those
> intended-private details for all the world to read.
>
> IMO, just indicate TLS as the next layer after CONNECT and have that
> layers ALPN (or not) indicate the nested next-layer. If the
> intermediary is capable of peeking at the TLS ALPN value it can do so
> itself. That also resolves security and logistical issues with keeping
> the two ALPN tags in-sync.
>
> Amos
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUwIGlAAoJELJo5wb/XPRjbLUIAKEwlIVSVfrTnjnmKMzR+i2c
> v/x+Qrxsw1Hc5HIHSPqSamcW86MWsKjf872Ay5kLbjzbye5XRVIxJX8ltteImfH4
> ft9gSEAnIIaeqXcHW7yAE4M+M8x67ShXz2ErvmUEHh38hoybsBYqNVKkGEVg4oEU
> u6Siuljxjtj4NmhRP8hMTLYf6vT01LOwY9g7gZ3EGf5k0vk+6yTF9qBNxKji9RHF
> qF6a+/hK15l9YVJejk4KI1w3Jp4xy0Vw0hwJQux+nnbn4D/dW5CE3myIy345xDts
> ZJhZsKAcRg+JEoRGIMGze6Of5lBIlmtgxs8nhuSalwve+G/grguWb83DDeykWx4=
> =UNbp
> -----END PGP SIGNATURE-----
>
>

Received on Thursday, 22 January 2015 17:03:21 UTC