W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: new version trusted-proxy20 draft

From: Paul Hoffman <paul.hoffman@gmail.com>
Date: Sun, 16 Feb 2014 18:58:57 -0800
Message-ID: <CAPik8yaVqAzfgsoCCjb1WDnQqYNYL0uHfhE2HvGXjcn4-UP2fQ@mail.gmail.com>
To: Salvatore Loreto <salvatore.loreto@ericsson.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, "draft-loreto-httpbis-trusted-proxy20@tools.ietf.org" <draft-loreto-httpbis-trusted-proxy20@tools.ietf.org>
Thanks for the new draft. I hope the comments below help make it a stronger
proposal.

- I suspect that the Captive Proxy example in 3.2 is missing something. It
indicates that the proxy, before it sends back the ServerHello for TLS,
redirects the User-Agent to stop doing TLS and do some rounds of HTTP. And
somehow the GET has HTTPS in it. This seems all wrong. Please consider
removing the whole idea of "I'm a proxy you don't know, but a web page will
convince you to trust me".

- The requirement for EV certs is silly for proxies. The proxy will often
have a domain name or IP address that the CA cannot reach, and therefore it
cannot do EV validation. This is security theater that is not helpful.

--Paul Hoffman
Received on Monday, 17 February 2014 02:59:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC