Re: What will incentivize deployment of explicit proxies?

in the case of the corporate proxy, you delegate trust for the duration 
of your use of the browser at that location.

So I would expect some UI indication that is basically permanently 
indicating this is happening, which is why I previously suggested the 
frame could be a way to do it.

There's also a class of proxy that we haven't been considering much 
here, that is possibly the most wide-spread:

Localhost proxies for products like endpoint AV.


------ Original Message ------
From: "Patrick McManus" <>
To: "William Chan (陈智昌)" <>
Cc: "Yoav Nir" <>; "Nicolas Mailhot" 
<>; "Roberto Peon" <>; "HTTP 
Working Group" <>
Sent: 4/12/2013 11:25:20 a.m.
Subject: Re: What will incentivize deployment of explicit proxies?
>On Tue, Dec 3, 2013 at 1:53 PM, William Chan (陈智昌) 
><> wrote:
>>I can probably expect to be tarred and feathered by my security team 
>>if I tell them we need to put up a UI asking the end user to make a 
>>decision about security :)
>Right. There is probably no way the user can make a meaningful decision 
>here. Heck - I'm not sure I can make a meaningful decision and I'm 
>certainly more familiar with the issues than most users. We've just 
>begun to uncover some of the reasons why.
>you make a "trust" delegation to your proxy to do exactly what.. load a 
>single URL? load just a particular origin? load a page.. (for how long 
>(scripts!)?).. can different pages use scripts cached with that trust? 
>Can they use my pre established cookies? What about mixed content 
>rules? What about a safe browsing database or a CRL list - Are those 
>still trusted? How about browser updates or new addons? Should you be 
>prompted separately to search and login to is 
>every page a new dialog? Are we going to categories where you opt-in a 
>category (e.g. search, but not finance) and then the server gets to 
>decide what kind of data it is instead of the user? Why is my EV 
>indicator now gone and does that deter server side folks who want a 
>stable UI to not adopt EV?
>And that's all rather beside the point. The information belongs to the 
>user not to the network even if the network is not obliged to carry it. 
>If the network would like to be able to more expressively define 
>mechanisms saying it refuses to carry e2e secured data I would be happy 
>to make use of that..

Received on Tuesday, 3 December 2013 22:33:38 UTC