W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: Some proxy needs

From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Date: Sun, 8 Apr 2012 22:01:50 +0200
Message-ID: <4d2620885d1dab5c52de68b1a4aafabd.squirrel@arekh.dyndns.org>
To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, ietf-http-wg@w3.org

Le Dim 8 avril 2012 14:41, Poul-Henning Kamp a écrit :

>>4. A way to inspect most of the client communication for malware. I say most
>>because :
>
> If the site policy is "everything gets inspected", the protocol must support
> that, either by allowing inspection, or by preventing the communication.
>
> It site administrators choose not to, because of sound use of
> decretion/legally requiments etc, that is not a relevant factor in
> the standardization.

Real-world is not black-and-white. A big proxy setup is a compromise between
what the security people want (inspect everything for malware) and the user
happiness (some privacy). For some kinds of web sites the legal risks of
inspecting will outweigh the legal risks of not inspecting (user bank accesses
almost certainly fall there). That only reflects the ambivalence of general
law on this subject. Any law-abiding operator will try to match law as much as
possible.

Exceptions that won't be inspected even though the general policy is to
inspect will always be a minority because setting up exception lists is
administrative hell but the protocols should permit such lists to be put in
place.

Like Willy wrote previously, a typical proxy setup is a tiered config of
general rules, positive exceptions (do it even though the general rules say
you should not), and negative exceptions (don't do it anyway). There is no
reason choosing to inspect or not encrypted coms won't be handled the same
way.

Regards,

-- 
Nicolas Mailhot
Received on Sunday, 8 April 2012 20:02:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:59 GMT