Re: ACTION-902 Summarise and prepare proposed resolutions on HTTPS link rewriting.

Hi Jo,

Many thanks for this summary of summaries.

I'm jumping straight to the conclusion because the rest is French 
cuisine, you know, a perfect balance between spices, herbs, meat, wine 
and cheese, so I don't see anything to add.

Jo Rabin wrote:
[...]
> 
> 4. Conclusions and Proposed Resolutions
> 
> a. PROPOSED RESOLUTION: Link rewriting is a form of transformation and 
> at a minimum is subject to the same limitations as other forms of 
> transformation

+1 to the proposed resolution and to the arguments that led to it.


> 
> b. PROPOSED RESOLUTION: In-network proxies MUST NOT rewrite links 
> without explicit prior agreement from the Content Provider

Without context, the exception-to-the-rule looks weird. Or rather it 
makes me think I missed a bit of context. Is the exception only 
triggered by the case when a Content Provider agrees to the 
"interception of" HTTPS and thus also needs to agree on links rewriting, 
or is there something else?

I would agree in the first case, and would like to know what I missed in 
the second case.


> 
> c. PROPOSED RESOLUTION: Interception of HTTPS is not permissible without 
>  explicit prior agreement from the Content Provider and consent from the 
> user on a case by case basis

+1. The proposed resolution is indeed to be read in the scope of the 
Content Transformation guidelines about network-deployed content 
transformation proxies. I don't think we should extend this scope.


I also agree with the non-normative security consideration note on links 
rewriting:
> Either way it would be worthwhile making a note as to the security issues discussed above in a non-normative way.


Francois.

Received on Monday, 9 March 2009 21:42:17 UTC