Re: Explicit Proxy (draft-rpeon-httpbis-exproxy) from Chad Goss on 2012-07-19 (ietf-http-wg@w3.org from July to September 2012)

From: Chad Goss <chgoss@gmail.com>
Date: Wed, 18 Jul 2012 20:33:46 -0400
To: Roberto Peon <grmocg@gmail.com>, ietf-http-wg@w3.org
Message-ID: <CABDykiA9qpDjfAFchssbEjakWbf2EDFRgqei6OPxFroo6KFtuw@mail.gmail.com>
>
> Hi All,
>>
>> Understand from Roberto the proposal requires that a secure tunnel has
>> already been established from the user-agent to the proxy. So the sequence
>> would be something along the lines of:
>>
>>
>>
>> 0. authentication credentials are installed on user-agent and
>> configured-proxy such that an HTTPS connection can be created successfully.
>>
>>
>>
>> 1. browser launches
>>
>>   1a. If the configured proxy is a trusted proxy, connect to it and
>> establishes a trusted pipe which remains up, and over which other HTTPS
>> established session keys will be transmitted.
>>
>>   1b. If the configured proxy is a caching proxy, do not establish tunnel
>> to it.
>>
>>
>>
>> 2. user-agent requests a page
>>
>>   2a. If the initial request was for HTTP, automatically route it over
>> HTTPS
>>
>>   2b. If the initial request was for HTTPS, proceed as normal
>>
>>
>>
>> 3. browser establishes an HTTPS connection to the content server, creates
>> ephemeral session key
>>
>> 4. If the configured proxy is a trusted proxy, browser sends the session
>> key to it, gets acknowledgement that it was received
>>
>> 5. browswer starts requesting data from content server over HTTPS.
>>
>> 6. trusted proxy decrypts data, inspects, forwards if that decision is
>> allowed for that packet.
>>
>>
>>
>> Questions, apologize if they have been asked/answered before:
>>
>> A. Is that sequence accurate?
>>
>> B. What assurances would be given to the users of this scheme that their
>> ephemeral session keys would be securely managed during an active session,
>> and destroyed immediately following?
>>
>> C.  How are we getting buy in from the content-server to authorize the
>> session to be decrypted?
>>
>> D. Would it be possible to create two categories of trusted proxy HTTPS
>> sessions? One that was allowed to be decrypted, one that wasn’t? The reason
>> I suggest this, is that I would be fine running all of my current HTTP
>> traffic over a scheme such as this, but I would never want my current HTTPS
>> (like banking) to run over a trusted proxy. This scheme doesn’t seem to
>> allow me that ability (since the configured proxy is designated as either
>> trusted or caching initially)? That might be the “mixed trust mode”? If so,
>> it would seem like having the ability to signal that situation was
>> necessary for the document? It would also be nice to have the ability to
>> separately configure security on the proxies.
>>
>> E. Does it seem like a leap to predicate so much of this proposal on
>> having all content-servers running HTTPS, and serving all content up over
>> that?
>>
>> F. In general, it would seem necessary to be able to distinguish between
>> #2a and #2b when determining the security associated with the tunnel
>> established in #3. In the #2a case, I would certainly be willing to live
>> with minimal security to improve performance..
>>
>>
>>
>> Thanks for your time
>>
>> -chad
>>
>>
>>
>>
>>
>> =================================
>>
>>
>>
>> D.  Would
>>
>>
>>
>> On Fri, Jul 13, 2012 at 12:47 PM, Roberto Peon <grmocg@gmail.com> wrote:
>>
>>
>> On Jul 13, 2012 9:03 AM, "Chad Goss" <chgoss@gmail.com> wrote:
>> >
>> > Hi,
>> > I have read the draft, the primary question I had was what is the
>> mechanism to transfer the decryption key material from user-agent to
>> configured-proxy in a secure, authenticated and trusted manner immediately
>> after tunnel establishment, and how are you going to do that prior to any
>> traffic traversing the tunnel?
>>
>> The draft is light on those details, to say the least. We'd have to
>> define a field (of a headers frame ) or frame that transported that
>> information.
>> Since the client is configured to do this, it knows to emit that frame as
>> soon as the TLS tunnel has been established.
>>
>> -=R
>>
>> >
>> > thanks
>> > -chad
>>
>> On Jul 13, 2012 9:03 AM, "Chad Goss" <chgoss@gmail.com> wrote:
>>
>> Hi,
>>
>> I have read the draft, the primary question I had was what is the
>> mechanism to transfer the decryption key material from user-agent to
>> configured-proxy in a secure, authenticated and trusted manner immediately
>> after tunnel establishment, and how are you going to do that prior to any
>> traffic traversing the tunnel?
>>
>>
>>
>> thanks
>>
>> -chad
>>
>>
>>
>>
>>
>
>
Received on Thursday, 19 July 2012 00:34:14 UTC