Re: Follow-up on draft-ietf-netconf-http-client-server from Ben Schwartz on 2020-07-23 (ietf-http-wg@w3.org from July to September 2020)

From: Ben Schwartz <bemasc@google.com>
Date: Thu, 23 Jul 2020 14:06:21 -0400
To: Kent Watsen <kent+ietf@watsen.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>
Message-ID: <CAHbrMsDNwZN64Y7Tfp0e0JQOSfArk5LeUTC8JqBeatiBVFJN0g@mail.gmail.com>

No, it's entirely common to operate a Web Proxy that does not require or
perform any HTTP or TLS client authentication.  Typically, this is because
authorization is implicit from the network topology, and the proxy is only
reachable by authorized users.

On Thu, Jul 23, 2020 at 11:24 AM Kent Watsen <kent+ietf@watsen.net> wrote:

>
> TL;DR;  Is client-auth to a web proxy mandatory?
>
> Thanks,
> Kent
>
>
> On Jul 21, 2020, at 12:40 PM, Kent Watsen <kent+ietf@watsen.net> wrote:
>
> Thank you all for your earlier comments regarding
> draft-ietf-netconf-http-client-server
> <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server>.
>
> The draft is now almost ready for WGLC (which will be CC-ed here as well),
> but there remains one item for which your guidance is needed (see bottom).
>
> First, as a recap, one of the primarily takeaways from before was that
> proxies can be supported both at the TCP-level (i.e., via SOCKS) and at the
> HTTP-level (i.e. via a Web Proxy).
>
> In order to support TCP-level proxies, the “tcp-client-grouping”, which is
> defined in another draft (draft-ietf-netconf-tcp-client-server
> <https://tools.ietf.org/html/draft-ietf-netconf-tcp-client-server>), now
> defines optional configuration enabling any TCP-client to initiate a
> connection via a proxy.  FWIW, here is a direct link to the "tree diagram”
> <https://tools.ietf.org/html/draft-ietf-netconf-tcp-client-server-07#section-3.1.2.1>
> illustrating this.
>
> In order to support HTTP-level proxies, *this* draft was modified to
> introduce a new “proxy-connect” configuration stanza that, in effect, is
> the complete configuration for another HTTP-client connection.  Here’s a direct
> link to the “tree diagram”
> <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server-04#section-2.1.2.2> and
> here is a fully-populated example
> <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server-04#section-2.2> (see
> 2nd example).
>
> Does everything appear to be in order so far?
>
> Now, for the question, do Web Proxies require client-auth?  More
> specifically:
>
>    1. when an HTTP client is connecting to a Web Proxy via HTTP, is
>    HTTP-level auth (i.e. Basic) mandatory or optional?
>    2. when an HTTP client is connecting to a Web Proxy via HTTPS, is
>    TLS-level and/or HTTP-level auth mandatory or optional?
>
>
> Thanks,
> Kent
>
>
>

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Thursday, 23 July 2020 18:06:47 UTC