Re: explicitly authenticated proxy: new draft

On 16 Jun 2014, at 13:54 , Mark Nottingham <mnot@mnot.net> wrote:
>> The mechanism we are proposing is just a way for the Proxy to manifest itself to ask for consent the end user and consequently the browser
>> and then in the case the end user provides the consent for the proxy to stay in between,
>
> Right, but as Stephen has pointed out separately, doing so has a huge potential affect on the TLS ecosystem.
>
> Also, how will this work with existing browsers who aren’t aware of your cert extensions?

As far as I can tell Stephen's objections were about a proxy acting as intermediary in a connection using HTTPS, where end-to-end peer authentication takes place. The draft deals with opportunistic TLS, and in this respect the explicit user consent proposed there is an advance with respect what could become a common practice of putting an intermediary the user is completely oblivious to. This can always be done when opportunistic encryption is intended, and proposals like draft-ietf-httpbis-http2-encryption do acknowledge they can only try to mitigate such behaviors.

Be goode,

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
http://people.tid.es/diego.lopez/

e-mail: diego@tid.es
Tel:    +34 913 129 041
Mobile: +34 682 051 091
-----------------------------------------


________________________________

Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo.
This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at:
http://www.tid.es/ES/PAGINAS/disclaimer.aspx

Received on Tuesday, 17 June 2014 00:55:41 UTC