- From: Roy T. Fielding <fielding@apache.org>
- Date: Wed, 20 Mar 2002 20:39:46 -0800
- To: Lisa Dusseault <ldusseault@xythos.com>
- Cc: w3c-dist-auth@w3.org
On Wed, Mar 20, 2002 at 06:04:28PM -0800, Lisa Dusseault wrote: > I don't think you understand. If I'm sitting inside a large company, trying > to author a page from a site that's out on the internet, that page may > already be subject to transformations from transparent edge services. For > example, the company firewall may be filtering viruses downloaded via HTTP. I don't think that DAV clients should be able to bypass that one, but they can via a tunnel. > More insidious, if I get my internet service from a struggling ISP, they > could replace banner ads on incoming messages with their own banner ads. I don't think people will allow banner ads to be edited through anything less secure than a VPM or SSL tunnel, for obvious reasons. > The OPES WG at the IETF is dealing with these issues directly. The IAB has > suggested that edge services should not be transparent -- that clients must > explicitly ask for edge services. However, even an IETF demand for there > not to be transparent edge services isn't a guarantee that there won't be > any. You could say that the authoring issues are an argument against > encouraging transparent edge services, but those issues certainly don't make > transparent edge services not exist. I wouldn't argue that at all. What you should consider, however, is that if there is a plain HTTP mechanism for routing requests unmolested through an interception device (which is not called an edge service), then what makes you think that only DAV clients would want to use it? And, once that happens, why would the molesters honor the plain HTTP mechanism? ....Roy
Received on Wednesday, 20 March 2002 23:43:19 UTC