- From: Graham Leggett <minfrin@sharp.fm>
- Date: Sat, 25 Apr 2020 01:07:09 +0200
- To: Brian Campbell <bcampbell@pingidentity.com>
- Cc: James <james.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Received on Friday, 24 April 2020 23:07:32 UTC
On 25 Apr 2020, at 00:13, Brian Campbell <bcampbell@pingidentity.com> wrote: > The draft is trying to be agnostic to things like TLS being used from TRRP to Origin or not. But certainly doesn't rule it out. The intro has "...HTTPS is also usually employed between the proxy and the origin server…". In essence, as a user of this I care only about two things: - I care what was the cert; and - I care who asserts this cert is legit. The first bit is easy - the cert is in the header, I would like the second bit to be as easy as “verify a signature on the header”. All the stuff about how it’s used is largely academic, as long as I get the above two things, I as a user am happy. What cert is used to sign? I don't want the RFC to care, that’s an implementation detail, let me choose a signature that works for me in my use case. Key for me is the second line above - if I don’t have a cryptographically secure way to verify where the cert came from, the header is useless to me. Regards, Graham —
Received on Friday, 24 April 2020 23:07:32 UTC