- From: Jana Iyengar <jri@google.com>
- Date: Tue, 30 Jan 2018 11:50:03 -0800
- To: Eric Rescorla <ekr@rtfm.com>
- Cc: Jeffrey Yasskin <jyasskin@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Received on Tuesday, 30 January 2018 19:50:27 UTC
I'm watching from the sidelines, but a clarification question: Thanks for taking a look at this. However, I don't think it really > addresses the concern that I raised, which is not solely about talking to > the origin but about having a digital signature from the origin server > substitute for an HTTPS connection to the origin. > In the current world, client does DNS lookup, establishes a TCP connection, creates a secure channel to an authenticated origin, and gets content from it over this channel. Per my understanding, the proposal here basically removes the DNS lookup + TCP connection to the origin, but creates a secure channel to an authenticated proxy, and separately authenticates content that it gets from it. The client would previously have authenticated the channel to the origin and gotten any content from it. In this proposal, a client does a TLS handshake to secure the channel to the proxy, and then authenticates content that comes over it. Is this understanding correct? If so, it *seems* equivalent security to HTTPS.
Received on Tuesday, 30 January 2018 19:50:27 UTC