Re: Proxies (includes call for adopting new work item, call for input)

On Sun, Jun 22, 2014 at 12:35 PM, Martin Nilsson <nilsson@opera.com> wrote:

>  On Sun, 22 Jun 2014 18:39:58 +0200, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
>  What I am concerned here is about the differentiation between the term
>> "proxy" (i.e., an imposed MITM) and "split UA" (i.e., a design decision of
>> the browser producer) May be we should try to coin a more neutral term,
>> like "intermediary" or "forwarder" or... Perceptions have a very important
>> role to play here.
>>
>
> Hmm... But the point is that these aren't the same thing from the user's
> perspective. In one case, you have to trust one set of people (the vendor)
> and in the other case you need to trust two (the vendor and the proxy
> operator). The use of two terms thus preserves that distinction and
> discussion of MITM devices needs to acknowledge that distinction
> or it's not going to get very far.
>
>
> I think we are talking about two different things, which is confusing
> things. There is the organizational aspect that you discuss. Then there is
> the technical aspect of if the server component is needed for the client to
> work (as opposed to merely hard coded to make the appearance of it being
> needed). These can combine in four different permutations, and all four are
> represented in practice.
>
> In addition you can of course bundle these together in a single client in
> any combination
>

Sure, that's true.

However, I think the main *technical* issue here is what, if any, support
browsers
ought to have for allowing network operators to install credentials which
allow
them to act as a proxy for connections which would otherwise be end-to-end
secured between the client and the server. This may use the same technical
mechanisms once that's done (and in fact it currently mostly does), but from
a policy perspective it's totally different.

-Ekr