RE: Explicit Proxy [was: A proposal] from Yoav Nir on 2013-11-20 (ietf-http-wg@w3.org from October to December 2013)

From: Yoav Nir <synp71@live.com>
Date: Wed, 20 Nov 2013 08:03:18 +0000
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <DUB124-W33D962E7721CA88F799909B1E60@phx.gbl>

> From: mnot@mnot.net
> Date: Wed, 20 Nov 2013 13:07:46 +1100
> CC: ietf-http-wg@w3.org; fielding@gbiv.com; stephen.farrell@cs.tcd.ie; phk@phk.freebsd.dk; mike@belshe.com
> To: w@1wt.eu
> Subject: Explicit Proxy [was: A proposal]
> 
> Hi Willy,
> 
> On 20/11/2013, at 12:41 PM, Willy Tarreau <w@1wt.eu> wrote:
> > 
> > So let's loop back to one of the very old points about tls+auth for
> > proxies. This will significantly improve the ability to use anonymisers
> > and to use them safely. Without even the SNI or destination address
> > being useful (right now the SNI is carried over clear text even
> > through proxies).
> > 
> > That way we can have end users safely connect to well known anonymisers
> > without anyone being able to get anything from that conversation, to
> > the same extents as what the pro-TLS guys expect from full TLS to
> > servers.
> > 
> > I know it has been discussed many times in the past, but let's bring
> > that again on the table so that "people don't die anymore". Secure,
> > trusted proxies are *the* solution to solve the privacy issues that
> > make some people insist so much on having TLS. Let's just have it
> > towards the right place.
> 
> 
> Explicit proxy is tracked here: <https://github.com/http2/http2-spec/issues/316>. 
> 
> I've heard a significant amount of interest in this, especially at and after Vancouver, and think we'll see more proposals soon.

Hi Mark
To be sure, discovery of proxies may be done at the HTTP layer, but doesn't have to be.  One method to discover TLS proxies is through the TLS handshake. Here's one proposal on how to do it:http://tools.ietf.org/html/draft-mcgrew-tls-proxy-server-01

At the time, the TLS working group rejected it, as this was considered to be standardizing wiretap. If this group would like to standardize *any* method of discovering (and cooperating with) TLS proxies, we can resurrect this draft, but expect an up-hill battle with the rest of the IETF, including but not limited to a security AD that is on this list.
Yoav

Received on Wednesday, 20 November 2013 08:03:54 UTC