Re: ext#9: OppSec and Proxies from Patrick McManus on 2014-07-02 (ietf-http-wg@w3.org from July to September 2014)

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Wed, 2 Jul 2014 11:09:25 -0400
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAOdDvNpvcROXheN9XOhQixae6=Fkf_2MZZ7r6nO8pZNCvDJOrw@mail.gmail.com>

On Wed, Jul 2, 2014 at 2:26 AM, Mark Nottingham <mnot@mnot.net> wrote:

> <https://github.com/httpwg/http-extensions/issues/9>
>
> We need to define how a client using OppSec connects to a configured proxy

I'm not sure we need to define one path. It seems like a trust and policy
decision where it is sufficient to describe the mechanisms. Both proxying
and tunneling are sensible under different circumstances .

> Does the answer change if the proxy is http vs https?

That's one input. Another is the trust relationship you have with the proxy
and another might be the backend protocol capabilities of the intermediary.
(i.e. does it do OppSec as a client? does it do >= the client protocol
version, etc..)

> Can the proxy advertise OppSec?
>
>
devil is in the details - but generically: yes that's desirable

Received on Wednesday, 2 July 2014 15:09:51 UTC