W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: new version trusted-proxy20 draft

From: 陈智昌 <willchan@chromium.org>
Date: Wed, 19 Feb 2014 10:16:07 -0800
Message-ID: <CAA4WUYgZXvAAAz-t7uji6_jXOcKck5j23wgxu-gNCa+xPm3Dew@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@gmail.com>
Cc: Patrick McManus <pmcmanus@mozilla.com>, Salvatore Loreto <salvatore.loreto@ericsson.com>, HTTP Working Group <ietf-http-wg@w3.org>, "draft-loreto-httpbis-trusted-proxy20@tools.ietf.org" <draft-loreto-httpbis-trusted-proxy20@tools.ietf.org>, GUS BOURG <gb3635@att.com>
On Wed, Feb 19, 2014 at 8:10 AM, Paul Hoffman <paul.hoffman@gmail.com> wrote:
> On Tue, Feb 18, 2014 at 8:54 PM, William Chan (陈智昌) <willchan@chromium.org>
> wrote:
>
>>
>> Good point. This is a controversial topic that we're unlikely to see
>> consensus on in the near future. Let me ask another question. Is there
>> a user agent that plans on supporting this proposal? At the Zurich
>> interim, IIRC, Patrick (Firefox), Rob (IE/WinInet), and I (Chromium)
>> all said we do not support this.
>
>
> How can any vendor know whether or not they support a feature that has not
> even been well described?

Sorry, my last sentence in that above paragraph was misleading. There
was a discussion at Zurich about how user agents felt about trusting
proxies to snoop on https traffic, and all user agents present (I
mentioned them already) did not support it. You're right, we didn't
discuss this *specific* proposal here. I will let other user agents
speak for themselves here. My point is, if no user agent supports this
direction, then I don't think we should standardize, since I don't
think we'll have running code.

>
>>
>> If that's in error, please speak up.
>> Otherwise, if no user agent plans on supporting this, I don't see the
>> value of standardizing this.
>
>
> The value has been stated repeatedly. If we don't standardize it, then the
> security of your users measurably goes down. Getting users to install
> private trust anchors that are known to be not as well protected as the rest
> of the trust anchors does a disservice to Internet security.

You ignored the conditional in my statement. I shall repeat it. *If no
user agent plans on supporting this*, I don't see the value of
standardizing it. You may reasonably argue that user agents *should*
support this. Therefore, I'm asking if there are user agents that
support this.

>
> --Paul Hoffman
Received on Wednesday, 19 February 2014 18:16:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC