- From: 陈智昌 <willchan@chromium.org>
- Date: Tue, 3 Dec 2013 03:21:27 -0800
- To: Yoav Nir <synp71@live.com>
- Cc: Roberto Peon <grmocg@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAA4WUYidbeaNqNfnVEng0A6sjQ1ba5dLUxYpZPeJy_eG0uOTTQ@mail.gmail.com>
On Tue, Dec 3, 2013 at 1:49 AM, Yoav Nir <synp71@live.com> wrote: > On 3/12/13 10:28 AM, Roberto Peon wrote: > >> >> For enterprises, the new trend is apparently to allow users to >> use their personal devices. These devices would be outside the >> normal administrative chain and would likely cause headaches. >> >> >> I agree using personal devices would likely cause headaches. But >> you're not saying explicit proxies solves this somehow, do you? If >> so, I missed it. >> >> >> Enterprises like these have three choices: >> 1) Disallow access to such devices >> 2) Force users to install root certs >> 3) Force users to configure a proxy explicitly. >> Arguably #3 is the best, from both the enterprise, site and user >> perspective as setting up an explicit proxy should be easier than >> installing a root cert for both enterprise and user, and the site now gets >> signaled about the presence of a proxy. >> >> As you said, BYOD is the new trend (this email written on my Mac rather > than a company laptop), so #1 is out. #2 is what we have now, and this > applies not only to people who bring their own device, but also to people > who use Firefox (a non-negligible group). They handle it by either > searching for "install CA certificate on xxx" in a search engine and > pasting the result on an intranet page, or by sending the users to do the > search themselves. > > #3 is preferable for administrators, sites and users by making the UX for > it the browser vendor's problem. Because "get the CA certificate from this > wiki page, send it to an email account that you can access with your phone, > double-tap the attachment on the phone, etc." - all this is a form of user > experience, just not a good one. > > So if deploying an explicit proxy can get the BYOD people off of IT's > back, it's a win for them. OK, I think I see what you're saying. IIUC, you say that the setup UX sucks right now for MITM proxies, and browsers should make it better by providing an explicit configuration UI for this. I think that's an interesting point, that IT departments would prefer an explicit proxy if its setup were easier than the MITM proxy setup. I'm going to sleep on this one. The only thing that pops to mind for me is currently most browsers (mod Firefox only I think) generally delegate to the system preferences, so it'd be interesting to hear what an OS vendor (like Microsoft) has to say about this. Cheers. > > > Yoav > >
Received on Tuesday, 3 December 2013 11:21:55 UTC