Re: new version trusted-proxy20 draft from Paul Hoffman on 2014-02-17 (ietf-http-wg@w3.org from January to March 2014)

From: Paul Hoffman <paul.hoffman@gmail.com>
Date: Sun, 16 Feb 2014 18:58:57 -0800
To: Salvatore Loreto <salvatore.loreto@ericsson.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, "draft-loreto-httpbis-trusted-proxy20@tools.ietf.org" <draft-loreto-httpbis-trusted-proxy20@tools.ietf.org>
Message-ID: <CAPik8yaVqAzfgsoCCjb1WDnQqYNYL0uHfhE2HvGXjcn4-UP2fQ@mail.gmail.com>

Thanks for the new draft. I hope the comments below help make it a stronger
proposal.

- I suspect that the Captive Proxy example in 3.2 is missing something. It
indicates that the proxy, before it sends back the ServerHello for TLS,
redirects the User-Agent to stop doing TLS and do some rounds of HTTP. And
somehow the GET has HTTPS in it. This seems all wrong. Please consider
removing the whole idea of "I'm a proxy you don't know, but a web page will
convince you to trust me".

- The requirement for EV certs is silly for proxies. The proxy will often
have a domain name or IP address that the CA cannot reach, and therefore it
cannot do EV validation. This is security theater that is not helpful.

--Paul Hoffman

Received on Monday, 17 February 2014 02:59:29 UTC