On Jun 18, 2014, at 3:49 AM, Mark Nottingham <mnot@mnot.net<mailto:mnot@mnot.net>> wrote: The main problem is really how dynamically configure and authenticate a proxy that is inline to the user (i.e. specific to the access network) The draft proposes to use the Proxy Certificate as a way for the Proxy to authenticate itself and at same time trigger the consent request into the Browser and show to the end user. It sounds a lot like you're talking about a "transparent" proxy -- i.e., one that's not explicitly configured by the user (or their administrator on their behalf). Is that the case, or do I misunderstand? maybe its me or maybe a terminology problem here. does the fact that the configuration parameters are not explicitly inserted by hand (by the user or their administrator on their behalf) make the proxy a transparent one? IMO a lots depends on how the automatic configuration happens. The auth-draft is proposing a mechanism where the proxy manifests itself and asks the consent to the user (thru a popup window showing the right info to make a conscious decision) and then only if the user provides consent that proxy is "automatically" configured by the proxy. So at the end the user is always made aware of the fact that there is a proxy (the one that has manifest itself) in between himself and the content. this mechanism, as proposed, actually is per network access and limited in time. I think this proposal make even more explicit compared to a proxy configured by the administrator on behalf of the user or even of one configured by the user and then forgotten. note that with this proposal all the power is in the users and browsers side, the proxy only manifests itself and provides the Proxy certificate to authenticate itself. What to do with the Proxy certificate, how to show the consent request to the end user, and how to configure the browser in the "right way" in the case user provide consent it will up to the browser. /Sal
Received on Wednesday, 18 June 2014 06:54:42 UTC