W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Trusted proxy UI strawman

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Mon, 16 Jun 2014 11:34:43 +0100
Message-ID: <539EC843.6040105@cs.tcd.ie>
To: bizzbyster@gmail.com
CC: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>

Hiya,

On 16/06/14 04:01, bizzbyster@gmail.com wrote:
> Hi Stephen,
> 
> Our users want this so we are building it -- and we prefer to provide
> them with a mechanism to opt in and out on a per site basis as well
> as solve the problem of transitive trust introduced by standard MITM
> proxies. While changes to the TLS layer are not required, it is the
> most straightforward way to provide optimization for HTTPS web sites
> for a service provider that has already deployed web acceleration via
> proxies for HTTP-schemed web sites. Ideally the protocol changes we
> make to our proxy and our web browser, including users on commercial
> airlines like JetBlue and United, will be standardized so that our
> users will get optimization when using other browsers and also when
> they are using our browser when communicating with other proxies.

I think the word "user" in the above is conflating people (with a
browser), content authors and n/w operators, at least. I (as a
user visiting web sites) do not "want this," nor do I as a content
author, nor do I as a (very very tiny:-) web site admin. And I
definitely do not "want this" for my calendar nor IMAP etc.

So I don't agree that borking TLS is the most straightforward way
to do something that I want, for at least 3 or 4 definitions of
me as a user. And I'm pretty sure that I'm not at all alone in that.
(But wasn't a lot of the above said already on this list?)

> "If HTTP needs a proxy solution,please aim to develop an HTTP
> solution and do not affect the many other protocols and applications
> within and beyond the IETF that depend on TLS and that do not need an
> MITM."
> 
> What did you have in mind? I'm really interested in alternatives that
> do not involve modifying the TLS layer.

Mostly I have in mind not borking TLS;-)

I'm sorry to seem so negative here, but when there are such
conflicting requirements, I guess that's gonna be the case.
In my defence, I think I can fairly claim that "don't bork
TLS" is actually a positive statement overall.

Cheers,
S.


> 
> Thanks,
> 
> Peter
> 
> 
> On Jun 15, 2014, at 3:48 PM, Stephen Farrell
> <stephen.farrell@cs.tcd.ie> wrote:
> 
>> 
>> 
>> On 15/06/14 20:34, bizzbyster@gmail.com wrote:
>>> The whole idea of this proposal is to make it no different than 
>>> today's MITM ...
>> 
>> I'm not sure that I'm exactly clear on what's proposed but in any
>> case the above is not at all attractive. I thought we had already
>> had the discussion here that ended up concluding that MITMing TLS
>> is not the way to try tackle an HTTP problem. The MITMing-TLS
>> approach has been proposed and rejected many times. If HTTP needs a
>> proxy solution, please aim to develop an HTTP solution and do not
>> affect the many other protocols and applications within and beyond
>> the IETF that depend on TLS and that do not need an MITM. And that
>> might not have a user or browser or equivalent.
>> 
>> I mean we could repeat all that debate, but it seems better not to
>> do that to me at least.
>> 
>> S.
> 
> 
Received on Monday, 16 June 2014 10:35:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC