On Fri, May 10, 2019 at 06:20:45PM -0400, Phillip Hallam-Baker wrote: > > proxy). Middleboxen will be with us forever. > > Of course. The part that is going away though is the part we were focused > on in 1994-1996 because the Internet was melting under the load. Ah yes, that's done, thankfully. Indeed, the network is now faster than the servers, so we scale out horizontally as much as possible. > MITM proxies introduce their own horrors and they are an example of the > cost of trying to remain principled in an unprincipled world. We could do > MITM in a much better way than we have ended up with. But we can't come to > consensus on a protocol of that sort. Consensus isn't the problem. The problem is that HTTP/1.x was so trivial to implement (bash + printf + nc can do it) that there are too many "stacks" in which to implement something new, so it can't be done. This is also why 3xx redirect-based authentication methods are winning over as-originally-intended 401 / WWW-Authenticate / Authorization methods. It's easier to implement redirect chasing than to implement a pluggable authentication method framework. (Also, it's easier on server devs to use redirects.) I just wish 3xx and 401 weren't mutually exclusive. I posted to art@xxxxxxxx a few weeks ago about that got no replies, sadly. There's just no way to do better when we'd have to fix a few thousand clients and a dozen or so proxies. ETOOHARD is an understatement. Nico --
