Edit comment LC-2032 for Mobile Web Best Practices Working Group

Quick access to LC-1995 LC-1996 LC-1997 LC-1998 LC-1999 LC-2000 LC-2001 LC-2002 LC-2003 LC-2004 LC-2005 LC-2006 LC-2007 LC-2008 LC-2009 LC-2010 LC-2011 LC-2012 LC-2013 LC-2014 LC-2015 LC-2016 LC-2017 LC-2018 LC-2019 LC-2020 LC-2021 LC-2022 LC-2023 LC-2024 LC-2025 LC-2026 LC-2027 LC-2028 LC-2029 LC-2030 LC-2031 LC-2032 LC-2033 LC-2034 LC-2036 LC-2037 LC-2038 LC-2039 LC-2040 LC-2041 LC-2042 LC-2043 LC-2044 LC-2045 LC-2046 LC-2047 LC-2048 LC-2049 LC-2050 LC-2051 LC-2052 LC-2053 LC-2054 LC-2064 LC-2065 LC-2066 LC-2067 LC-2068 LC-2069 LC-2070 LC-2071 LC-2072 LC-2073 LC-2074 LC-2075 LC-2076 LC-2077 LC-2078 LC-2079 LC-2080 LC-2081 LC-2082 LC-2083 LC-2084 LC-2085 LC-2089 LC-2090 LC-2091 LC-2097

Comment LC-2032

Comment Shortname:

Commenter: casays <casays@yahoo.com>

Message-id:

Section of the document concerned:

[Free text description]Document as a wholeContent Transformation Guidelines 1.0 Abstract Status of this Document Table of Contents Appendices 1 Introduction (Non-Normative) 1.1 Purpose 1.2 Audience 1.3 Scope 1.4 Summary of Requirements 2 Terminology (Normative) 2.1 Types of Proxy "A transparent proxy is a proxy that does not modify the req... A non-transparent proxy is a proxy that modifies the request... 2.2 Types of Transformation Restructuring content is a process whereby the original layo... Recoding content is a process whereby the layout of the cont... Optimizing content includes removing redundant white space,... 3 Conformance (Normative) 3.1 Classes of Product 3.2 Normative and Informative Parts 3.3 Normative Language for Conformance Requirements 3.4 Content Deployment Conformance 3.5 Transformation Deployment Conformance 4 Behavior of Components (Normative) 4.1 Proxy Forwarding of Request 4.1.1 Applicable HTTP Methods 4.1.2 no-transform directive in Request 4.1.3 Treatment of Requesters that are not Web browsers 4.1.4 Serving Cached Responses 4.1.5 Alteration of HTTP Header Values In this section, the concept of "Web site" is used (rather t... 4.1.5.1 Content Tasting 4.1.5.2 Avoiding "Request Unacceptable" Responses 4.1.5.3 User Selection of Restructured Experience 4.1.5.4 Sequence of Requests 4.1.5.5 Original Headers 4.1.6 Additional HTTP Headers 4.1.6.1 Proxy Treatment of Via Header 4.2 Server Response to Proxy 4.2.1 Use of HTTP 406 Status 4.2.2 Server Origination of Cache-Control: no-transform Including a Cache-Control: no-transform directive can disrup... 4.2.3 Varying Representations 4.2.3.1 Use of Vary HTTP Header 4.2.3.2 Indication of Intended Presentation Media Type of Representation 4.3 Proxy Forwarding of Response to User Agent 4.3.1 Receipt of Cache-Control: no-transform 4.3.2 Receipt of Warning: 214 Transformation Applied 4.3.3 Server Rejection of HTTP Request 4.3.4 Receipt of Vary HTTP Header 4.3.5 Link to "handheld" Representation 4.3.6 Proxy Decision to Transform 4.3.6.1 Alteration of Response 4.3.6.2 HTTPS Link Re-writing 5 Testing (Normative) A References B Example Transformation Interactions (Non-Normative) B.1 Basic Content Tasting by Proxy B.2 Optimization based on Previous Server Interaction B.3 Optimization based on Previous Server Interaction, Server has Changed its Operation B.4 Server Response Indicating that this Representation is Intended for the Target Device B.5 Server Response Indicating that another Representation is Intended for the Target Device C Applicability to Transforming Solutions which are Out of Scope (Non-Normative) D Scope for Future Work (Non-Normative) D.1 POWDER D.2 link HTTP Header D.3 Sources of Device Information D.4 Inter Proxy Communication D.5 Amendment to and Refinement of HTTP E Administrative Arrangements (Non-Normative) F Acknowledgments (Non-Normative)
or

Refinement of the section concerned:

Status:

open proposal pending resolved_yes resolved_no resolved_partial other assigned to Nobody

Type: substantive editorial typo question general comment undefined

Resolution status:

Response drafted Resolution implemented Reply sent to commenter

Response status:

No response from Commenter yet Commenter approved disposition Commenter objected to disposition
Commenter's response (URI):

Comment:

g) The guidelines rely upon a fundamentally flawed assumption:
in the HTTPS connection, the client is the only party concerned
with security, and which must take a decision as to whether to
access resources over a point-to-point or end-to-end link.

This is incorrect: there are actually two parties to the secure
connection, client and server, both with legitimate security
concerns. The server has thus as much a right to determine whether
it wants to provide services over a point-to-point connection
as the client. I can very well imagine that for instance
banking, electronic commerce or social networking application
servers may decide to sever point-to-point connections rather
than providing services over them, and inform the end-user
about the reasons.

Unfortunately, because of the flawed assumption of the guidelines,
there is strictly no way a server may reliably detect whether
it is communicating over a point-to-point link or not.

Consider:
i. The proxy rewrites links but the replacement links must have
HTTPS; hence for the server communication obviously takes place
over HTTPS.
ii. If the proxy preserves the HTTP header fields (such as
user-agent, accept, accept-charset, etc), which is actually
encouraged by the guidelines, then the proxy cannot detect
that transformations may be taking place.
iii. Further, the "via" HTTP header field does not constitute
a proper mechanism to detect the presence of a transformation
proxy, and whether HTTPS is point-to-point or end-to-end.
First, the comment "http://www.w3.org/ns/ct" indicating the
presence of a transformation proxy is not mandatory, as per
the guidelines. Secondly, RFC2616 authorizes proxies to use
a pseudonym instead of a domain name for the "received-by"
part of their hop, which does not necessarily have a meaning
for servers.

The server is therefore not in a position to take educated
decisions as to its secure communications with clients through
a transformation proxy.

Related issues: (space separated ids)

WG Notes: [Needs to be checked after editorial re-writing] See: http://www.w3.org/2008/10/07-bpwg-minutes.html#item02 Final resolution: - Accept the thrust of Tom's submission on HTTPS, and editor to make sure that the wording is beefed up (e.g. by saying that if a proxy rewrites HTTPS ... rather than saying a proxy MAY) to make it clear that if you _must_ do it the user MUST know and MUST have a choice

Resolution: We agree and have added text to this section that goes some way to addressing your concern.

(Please make sure the resolution is adapted for public consumption)