- From: Brian Campbell <bcampbell@pingidentity.com>
- Date: Fri, 24 Apr 2020 16:13:53 -0600
- To: James <james.ietf@gmail.com>
- Cc: Graham Leggett <minfrin@sharp.fm>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CA+k3eCS78WpuGPQx+Wyf4AxeWOWg+ACYBoukftBBE3tGPWROXw@mail.gmail.com>
The draft is trying to be agnostic to things like TLS being used from TRRP to Origin or not. But certainly doesn't rule it out. The intro has "...HTTPS is also usually employed between the proxy and the origin server...". On Wed, Apr 22, 2020 at 6:56 AM James <james.ietf@gmail.com> wrote: > On 21/04/2020 23:17, Graham Leggett wrote: > > Having read the draft, one thing I would suggest is that the ability > > exists for the contents of the Client-Cert header to be signed, so that > > anyone who cares can verify that the header came from where it said it > > came from ... (I wouldn’t make this a MUST requirement, but maybe > > RECOMMENDED perhaps). > > +1 for it not being a MUST as I think that signing the header should > only be RECOMMENDED or SHOULD be present when the TRRP to Origin > connection is NOT using TLS itself. Perhaps this could be offered as a > separate header itself. The draft appears to focus around no TLS being > used from TRRP to Origin, I have uses cases where it exists - such as a > publicly trusted CA used on the TRRP's server certificate, but an > internal CA used to the Origin. > > - J > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
Received on Friday, 24 April 2020 22:14:33 UTC