- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Sun, 8 Apr 2012 22:01:50 +0200
- To: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
- Cc: "Nicolas Mailhot" <nicolas.mailhot@laposte.net>, ietf-http-wg@w3.org
Le Dim 8 avril 2012 14:41, Poul-Henning Kamp a écrit : >>4. A way to inspect most of the client communication for malware. I say most >>because : > > If the site policy is "everything gets inspected", the protocol must support > that, either by allowing inspection, or by preventing the communication. > > It site administrators choose not to, because of sound use of > decretion/legally requiments etc, that is not a relevant factor in > the standardization. Real-world is not black-and-white. A big proxy setup is a compromise between what the security people want (inspect everything for malware) and the user happiness (some privacy). For some kinds of web sites the legal risks of inspecting will outweigh the legal risks of not inspecting (user bank accesses almost certainly fall there). That only reflects the ambivalence of general law on this subject. Any law-abiding operator will try to match law as much as possible. Exceptions that won't be inspected even though the general policy is to inspect will always be a minority because setting up exception lists is administrative hell but the protocols should permit such lists to be put in place. Like Willy wrote previously, a typical proxy setup is a tiered config of general rules, positive exceptions (do it even though the general rules say you should not), and negative exceptions (don't do it anyway). There is no reason choosing to inspect or not encrypted coms won't be handled the same way. Regards, -- Nicolas Mailhot
Received on Sunday, 8 April 2012 20:02:22 UTC