- From: Salvatore Loreto <salvatore.loreto@ericsson.com>
- Date: Tue, 18 Feb 2014 20:06:10 +0000
- To: Paul Hoffman <paul.hoffman@gmail.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>, "draft-loreto-httpbis-trusted-proxy20@tools.ietf.org" <draft-loreto-httpbis-trusted-proxy20@tools.ietf.org>
- Message-ID: <60142CD5-06FB-49FE-843B-CDC7AB2E1E77@ericsson.com>
On Feb 18, 2014, at 9:37 PM, Paul Hoffman <paul.hoffman@gmail.com<mailto:paul.hoffman@gmail.com>> wrote: On Tue, Feb 18, 2014 at 1:49 AM, Salvatore Loreto <salvatore.loreto@ericsson.com<mailto:salvatore.loreto@ericsson.com>> wrote: On Feb 17, 2014, at 4:58 AM, Paul Hoffman <paul.hoffman@gmail.com<mailto:paul.hoffman@gmail.com>> wrote: > Thanks for the new draft. I hope the comments below help make it a stronger proposal. > > - I suspect that the Captive Proxy example in 3.2 is missing something. It indicates that the proxy, before it sends back the ServerHello for TLS, redirects the User-Agent to stop doing TLS and do some rounds of HTTP. And somehow the GET has HTTPS in it. This seems all wrong. Please consider removing the whole idea of "I'm a proxy you don't know, but a web page will convince you to trust me". good point! Does this mean that you will remove 3.2? If so, reviewing the proposal will be much easier. yes I will! > > - The requirement for EV certs is silly for proxies. The proxy will often have a domain name or IP address that the CA cannot reach, and therefore it cannot do EV validation. This is security theater that is not helpful. not sure I understand all the aspects behind your comment here, so I am trying to analysing from two different angles - if the question is how would be possible for the browser/client to run OCSP to check the validity of certificates from the CA if the OCSP is ran over TLS I want to clarify that Trusted Proxy is only analyses the ALPN application tag (i.e.: H2clr and H2) in order to ask for consent only for H2clr all the rest of TLS connections will be pass. So OSCP will work. - if the question is that not all the companies that usually deploy proxies in their access network have all the requisites to have a EV certs then I don't know if it is worth to relax this requirement in order to broader the mechanism's adoption. I am open to any change. My only concern is that we need to come up with something that bring enough trust to the end user to convince her/him to provide consent to the proxy. What do you mean by "enough trust" and how does someone get there with EV certs? If you believe that EV certs are actually more trustworthy, that's fine, but that is not the general perception. Further, the rules for issuing EV certs will probably preclude many proxies from getting them. So, you are adding a layer of security theater that actually prevents adoption of the protocol for many organisations. and I don't want anything that actually prevents a large adoption of the protocol so I don't have any problem to remove the requirements on EV certs /Sal --Paul Hoffman
Received on Tuesday, 18 February 2014 20:06:35 UTC