- From: Joe Steele <steele@adobe.com>
- Date: Wed, 14 Oct 2009 09:28:52 -0700
- To: Thomas Roessler <tlr@w3.org>, WSC WG public <public-wsc-wg@w3.org>
- Message-ID: <C6FB4A54.D249%steele@adobe.com>
+1 On 10/14/09 9:06 AM, "Thomas Roessler" <tlr@w3.org> wrote: I propose that in response to the latest Content Transformation Guidelines Draft, we indicate that we're happy with the resolution of our group's comments, namely: 4.2.9.3 HTTPS Link Rewriting Note: For clarity it is emphasized that it is not possible for a transforming proxy to transform content accessed via an HTTPS link without breaking end-to-end security. Interception of HTTPS and the circumstances in which it might be permissible is not a "mobile" question, as such, but is highly pertinent to this document. The BPWG is aware that interception of HTTPS happens in many networks today. Interception of HTTPS is inherently problematic and may be unsafe. The BPWG would like to refer to protocol based "two party consent" mechanisms, but such mechanisms do not exist at the time of writing of this document. The practice of intercepting HTTPS links is strongly NOT RECOMMENDED. If a proxy rewrites HTTPS links, it must advise the user of the security implications of doing so and mustprovide the option to bypass it and to communicate with the server directly. Notwithstanding anything else in this document, proxies must not rewrite HTTPS links in the presence of aCache-Control: no-transform directive. If a proxy rewrites HTTPS links, replacement links must have the scheme https. When forwarding requests originating from HTTPS links proxies must include a Via header field as discussed under 4.1.6.1 Proxy Treatment of Via Header Field <http://www.w3.org/TR/2009/WD-ct-guidelines-20091006/#sec-via-headers> . When forwarding responses from servers proxies must notify the user of invalid server certificates. Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 14 October 2009 16:37:10 UTC