W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Explicit proxy options and defaults

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Sat, 07 Dec 2013 18:37:46 +0000
Message-ID: <52A36AFA.4050006@cs.tcd.ie>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

So Tim raised an important point about options for proxies and
defaults that I think maybe warrants its own thread.

Let's assume for a minute the WG manage to design an acceptable
solution that allows for Yoav's corporate proxy. That means
that Yoav would have one of two things going on when he uses
TLS from a web browser: a direct TLS connection or a connection
via an explicit proxy that decrypts and re-encrypts.

But, don't we really need three options: 1) direct, 2) via
explicit TLS proxy that decrypts (as above) and 3) via explicit
TLS proxy and CONNECT (where the TLS proxy doesn't decrypt and
there is an e2e TLS session providing confidentiality).

It seems to me that (1) and (3) match the currently deployed
web and so need to be maintained as the respective defaults for
when there is no proxy and when there is an explicit proxy.
(And I like (3) since its a security improvement over today's
web for proxy auth.)

And if an acceptable solution for (2) is found, that has to be
the non-default or else we're changing the semantics of HTTP.
In other words, (3) has to be the default for explicit proxies
since that's semantically the same as what we do today.

Is this on the right track, or would (3) as the default for
explicit proxies mean that the incentives for explicit proxies
decrease again to the point where they're not considered
worthwhile by those who'd implement them?

FWIW, its seems to me (wearing no hats) that "(2) without (3)"
would represent an overall worsening in the security of http/tls
whereas a "(2) and (3) with (3) as default" outcome could be
described as neutral or positive, depending on how (2) worked
and on what's likely to be implemented and deployed.

Regards,
S.
Received on Saturday, 7 December 2013 18:38:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:20 UTC