- From: Noah Mendelsohn <nrm@arcanedomain.com>
- Date: Mon, 16 Feb 2015 12:35:58 -0500
- To: Mark Nottingham <mnot@mnot.net>
- CC: Ryan Sleevi <sleevi@google.com>, "www-tag@w3.org List" <www-tag@w3.org>
On 2/16/2015 1:14 AM, Mark Nottingham wrote: >> >On 16 Feb 2015, at 4:59 pm, Ryan Sleevi<sleevi@google.com> wrote: >> > >> >The overall topic is that you've presented as "An Issue" for the TAG a >> >question of how users use and administer their machines, and whether >> >the TAG should intervene. I'm (hopefully clearly) rather opposed to >> >this. > That's a concise statement of the problem, thanks. I respectfully suggest that's a bit too limited as a framing. As I said in my earlier note, I think there's a question that arises whether or not we are talking specifically about users and their configuration of machines & browsers When an https-scheme URI is dereferenced per the pertinent specifications, starting with RFC 3986 [1] and continuing (as discussed in the TAG finding on the Self-describing Web [2]) from there to RFC 4395 [3] to RFC 7230 section 2.7.2 [4], etc.). We find in [4]: "2.7.2. https URI Scheme The "https" URI scheme is hereby defined for the purpose of minting identifiers according to their association with the hierarchical namespace governed by a potential HTTP origin server listening to a given TCP port for TLS-secured connections ([RFC5246]). All of the requirements listed above for the "http" scheme are also requirements for the "https" scheme, except that TCP port 443 is the default if the port subcomponent is empty or not given, and >>the user agent MUST ensure that its connection to the origin server is secured through the use of strong encryption, end-to-end, prior to sending the first HTTP request.<<" [Emphasis mine...Noah] I think you can make the case that this REQUIRES unmodified end-to-end communication to the origin server. This is not specific to browsers, users, or configuration of machines. It's the definition of the https URI scheme. Now, we can also point out that the user agent is, well, the user's agent. If a user chooses to modify his/her agent with an extension that does something other than what the normative specifications require, the user can do that, but hasn't he or she now turned it into something non-conforming? Isn't that what's happening when the user (intentionally or otherwise), grants permission for an extension, ISP proxy or other means of replaying the end-to-end check with MITM? If we're heading toward a world where the typical Web software, as deployed, violates the most fundamental and straightforward of normative Web specifications, I think the TAG should have something to say about that. This seems to me a case where the specifications are pretty clear, and they are not fundamentally about user agents. They are about the required resolution of an https-scheme identifier, whether by a user agent or anything else. I strongly urge the TAG to consider the question from this perspective, and to explain how any conclusions or recommendations reached regarding user agents relate to the above referenced normative specifications. Thank you! Noah [1] http://www.ietf.org/rfc/rfc3986.txt [2] http://www.w3.org/2001/tag/doc/selfDescribingDocuments.html [3] http://tools.ietf.org/html/rfc4395 [4] http://tools.ietf.org/html/rfc7230
Received on Monday, 16 February 2015 17:36:21 UTC