Re: ID for Immutable

On 10/28/2016 11:21 AM, Patrick McManus wrote:
> I do believe the lack of integrity protection in plaintext transfer is
> an important security consideration for immutable that suggests they
> should not be used together. I'm open to other wording on it for sure..
> https:// might be sufficient here.

Sounds good. A more general "SHOULD ignore immutable for resources
received without integrity protection" wording would allow proxies to
legally honor the immutable setting in most cases (after breaking a
hundred MUSTs to get to it inside https, naturally).

Thank you,


> On Fri, Oct 28, 2016 at 12:50 PM, Alex Rousskov wrote:
>     On 10/26/2016 03:02 PM, Patrick McManus wrote:
>     >    o  Clients should ignore immutable for resources that are not
>     part of
>     >       a secure context [SECURECONTEXTS].
>     Please think of the children^H^H^H^H proxies. AFAICT, "secure contexts"
>     are currently a user agent concept. If the above "should" is meant to be
>     a "SHOULD", then the draft automatically disqualifies most proxies from
>     legally utilizing this promising "ignore reload" mechanism.
>     Thank you,
>     Alex.

Received on Friday, 28 October 2016 18:13:35 UTC