Re: Proposed answer to Mobile Web Best PRactices WG

I declare WG concensus on this response. tx Thomas!

          Mez





From:
Joe Steele <steele@adobe.com>
To:
Thomas Roessler <tlr@w3.org>, WSC WG public <public-wsc-wg@w3.org>
Date:
10/14/2009 12:42 PM
Subject:
Re: Proposed answer to Mobile Web Best PRactices WG
Sent by:
public-wsc-wg-request@w3.org



+1


On 10/14/09 9:06 AM, "Thomas Roessler" <tlr@w3.org> wrote:

I propose that in response to the latest Content Transformation Guidelines 
Draft, we indicate that we're happy with the resolution of our group's 
comments, namely:
4.2.9.3 HTTPS Link Rewriting
Note:

For clarity it is emphasized that it is not possible for a transforming 
proxy to transform content accessed via an HTTPS link without breaking 
end-to-end security.

Interception of HTTPS and the circumstances in which it might be 
permissible is not a "mobile" question, as such, but is highly pertinent 
to this document. The BPWG is aware that interception of HTTPS happens in 
many networks today. Interception of HTTPS is inherently problematic and 
may be unsafe. The BPWG would like to refer to protocol based "two party 
consent" mechanisms, but such mechanisms do not exist at the time of 
writing of this document.

The practice of intercepting HTTPS links is strongly NOT RECOMMENDED.

If a proxy rewrites HTTPS links, it must advise the user of the security 
implications of doing so and mustprovide the option to bypass it and to 
communicate with the server directly.

Notwithstanding anything else in this document, proxies must not rewrite 
HTTPS links in the presence of aCache-Control: no-transform directive.

If a proxy rewrites HTTPS links, replacement links must have the scheme 
https.

When forwarding requests originating from HTTPS links proxies must include 
a Via header field as discussed under 4.1.6.1 Proxy Treatment of Via 
Header Field <
http://www.w3.org/TR/2009/WD-ct-guidelines-20091006/#sec-via-headers> .

When forwarding responses from servers proxies must notify the user of 
invalid server certificates.

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Wednesday, 21 October 2009 14:01:54 UTC