Re: explicitly authenticated proxy: new draft from Martin Nilsson on 2014-06-12 (ietf-http-wg@w3.org from April to June 2014)

From: Martin Nilsson <nilsson@opera.com>
Date: Thu, 12 Jun 2014 16:31:22 +0200
To: ietf-http-wg@w3.org
Message-ID: <op.xhcimkneiw9drz@riaa>

On Mon, 05 May 2014 08:49:34 +0200, Salvatore Loreto  
<salvatore.loreto@ericsson.com> wrote:

>
> we have produced a new draft that proposes the definition of an  
> Explicitly Authenticated
> Proxy as intermediary of normally unprotected "http://" URI scheme  
> requests and responses of HTTP2 traffic.
>

We've spent some time at Opera implementing this to try see how it holds
together. Given that it assumes that the client pro-actively sends http
traffic over TLS it doesn't appear to apply cleanly on normal browsing,
but it is applicable to Opera Turbo, where all http traffic is tunneled
through our proxies. I fear it might be a bit too narrow use case as is to
standardize. Some suggestions

- Given how the negotiation mechanism works this is locked to HTTP/2.
There are still a lot of HTTP/1 use cases around for something like this.

- There are many places where root certificates are added to silently
force proxies into TLS streams. I think those should be considered here as
well (e.g. intercepting all TLS, but instead give the user the choice to
abort the request). If we can move to a place where no one has a
legitimate reason to modify the client root store, that would be an
overall win.

- The client certificates needs work. Some of these fields are
underspecified, like logo and presentation name. The certificates also
need to be locked to a network, with that network information (APN,
MCC/MNC etc) signed in the certificate. When the proxyFunctions are
defined we should make them verifiable, and decide if they should describe
effects (faster, smaller), functions (compression, caching) and/or
privileges (modify content, inspect headers).

I think the proxy certificates is a nice idea that might even work outside
of TLS connections to verify that you are using the expected proxy. I'll
take a stab at defining it a bit more, possibly in a separate draft.

/Martin Nilsson

-- 
Using Opera's revolutionary email client: http://www.opera.com/mail/

Received on Thursday, 12 June 2014 14:31:54 UTC