Re: Considering the pressure to turn HTTPS into a three-party protocol

On 2/16/2015 5:47 PM, Bjoern Hoehrmann wrote:
> The specification defines the behavior of user agents, not the behavior
> of a timbled kiosk in some heteronomous computing environment, and users
> are naturally the ultimate authority for any trust decisions agents may
> make. It would be ridiculous, for instance, to argue that a web crawler
> designed to scan web sites for malware would violate the rules of the
> protocol when scanning web sites that only support ciphers that are no
> longer considered secure enough for financial transactions.

I disagree. The specification is defining the use of a name for purposes of 
dereference. To conform to this specification, the agent must end-to-end 
encrypt, and the spirit seems clear that this means not modify the content.

As I noted, you can create useful agents of all sorts, some of which will 
do useful things not conforming to this specification. I would argue that 
your proposed crawler is an example.

The specification defines a preferred way of dereferencing an https-scheme 
URI and says that a conforming agent shall do this. The foundational 
specfication of the web, RFC 3986 delegates to the specification we're 
discussing. Thus, this appears to me to be the specified, conforming 
behavior for Web user agents.

I'm suggesting that if common practice is diverging from the conformance 
requirements of the normative specifications, then it would be useful for 
the TAG to tell us a story about that. Maybe the specifications should 
change, maybe common practice should change, maybe there's another 
reasonable interpretation fo the phrase "MUST ensure that its connection to 
the origin server is secured through the use of strong encryption, end-to-end".

Noah

Received on Monday, 16 February 2015 23:06:33 UTC