Mandate HTTPS #165

martinthomson · 2022-08-09T04:47:57Z

The text noted in #155 was correct, but we didn't have a single place where we outlined this as a direct requirement.

The day where HTTP presupposes TLS has come for some, but not all of us. Until then, we can be more careful.

Closes #155.

chris-wood · 2022-08-09T13:00:21Z

draft-ietf-ohai-ohttp.md

@@ -726,6 +726,12 @@ In this section, a deployment where there are three entities is considered:
 * A relay operates the Oblivious Relay Resource
 * A server operates both the Oblivious Gateway Resource and the Target Resource

+Connections between the client, Oblvious Relay Resource, and Oblivious Gateway
+Resource MUST use HTTPS in order to provide unlinkability in the presence of a
+network observer.  The scheme of the encapsulated request detemrines what is


In case it's helpful, the analysis showed that HTTPS is only needed between client and relay to achieve this property. But we're mandating it on both sides because it's just good practice.

Mandate HTTPS

15d2de6

Closes ietf-wg-ohai#155.

LPardue approved these changes Aug 9, 2022

View reviewed changes

chris-wood reviewed Aug 9, 2022

View reviewed changes

chris-wood approved these changes Aug 9, 2022

View reviewed changes

chris-wood merged commit ca6d643 into ietf-wg-ohai:main Aug 9, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mandate HTTPS #165

Mandate HTTPS #165

martinthomson commented Aug 9, 2022

chris-wood Aug 9, 2022

Mandate HTTPS #165

Mandate HTTPS #165

Conversation

martinthomson commented Aug 9, 2022

chris-wood Aug 9, 2022

Choose a reason for hiding this comment