- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 14 Apr 2016 18:00:53 +1000
- To: Mike West <mkwst@google.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>
> On 14 Apr 2016, at 5:52 PM, Mike West <mkwst@google.com> wrote: > > I'm a little worried about terminating TLS somewhere, but carrying a "totally secure" indicator through various proxies and etc. until reaching an origin server. Doesn't that seem more confusing and problematic than status quo? "SSL added and removed here", and etc. It's not a totally secure indicator; it's an indicator of what state the client is in WRT scheme. That state isn't explicit now, so server-side software has to guess. This is something that would be really useful for disambiguating things in cases where the same server-side code is handling both HTTP and HTTPS URLs. The Opportunistic Security draft was one place this came up; I'm wondering if it'd be useful in other ways. To be clear, I'm not pushing this, just wondering out loud. Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Thursday, 14 April 2016 08:01:24 UTC