Re: new version trusted-proxy20 draft

On Feb 17, 2014, at 4:58 AM, Paul Hoffman <paul.hoffman@gmail.com> wrote:

> Thanks for the new draft. I hope the comments below help make it a stronger proposal.
> 
> - I suspect that the Captive Proxy example in 3.2 is missing something. It indicates that the proxy, before it sends back the ServerHello for TLS, redirects the User-Agent to stop doing TLS and do some rounds of HTTP. And somehow the GET has HTTPS in it. This seems all wrong. Please consider removing the whole idea of "I'm a proxy you don't know, but a web page will convince you to trust me".

good point!

> 
> - The requirement for EV certs is silly for proxies. The proxy will often have a domain name or IP address that the CA cannot reach, and therefore it cannot do EV validation. This is security theater that is not helpful.

not sure I understand all the aspects behind your comment here, so I am trying to analysing from two different angles 

- if the question is how would be possible for the browser/client to run OCSP  to check the validity of certificates from the CA if the OCSP is ran over TLS
I want to clarify that Trusted Proxy is only analyses the ALPN application tag (i.e.: H2clr and H2) in order to ask for consent only for H2clr
all the rest of TLS connections will be pass. So OSCP will work.

- if the question is that not all the companies that usually deploy proxies in their access network have all the 
requisites to have a EV certs then I don't know if it is  worth to relax this requirement in order to broader the mechanism's adoption.
I am open to any change. My only concern is that we need to come up with something that bring enough trust to the end user
to convince her/him to provide consent to the proxy.

br
Salvatore

> 
> --Paul Hoffman

Received on Tuesday, 18 February 2014 09:50:04 UTC