- From: Ryan Hamilton <rch@google.com>
- Date: Tue, 18 Oct 2022 09:16:19 -0700
- To: Ben Schwartz <bemasc@google.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAJ_4DfRNCUFcz8kD557kN5aoENyzRS=FPsgVO7tc6YcqHK7-bQ@mail.gmail.com>
I think [1] should perhaps be https://www.ietf.org/id/draft-schwartz-modern-http-proxies-00.html? On Tue, Oct 18, 2022 at 9:14 AM Ben Schwartz <bemasc@google.com> wrote: > I support the goals of the Unprompted Authentication draft. In fact, I'm > so supportive that I recently posted a draft that happens to solve an > overlapping problem in a very different way: "Modernizing HTTP Forward > Proxy Functionality" [1]. > > To step back: confidential HTTP _resources_ are arguably a solved > problem. We can simply place the resource at an unguessable path (e.g. > "capability URLs" [2]). The problem mentioned by this draft occurs when > the HTTP service is origin-scoped (e.g. it is not a resource). The only > non-resource HTTP service that I'm aware of is forward proxy > functionality. Thus, one way to improve confidentiality of proxies is to > make them path-scoped, and this is what the "Modernizing" draft does. > > These proposals are not mutually exclusive. Path-scoped proxies have > other benefits, and unprompted authentication could be useful for other > services with inflexible paths (e.g. .well-known/ resources). However, > given the overlapping use cases, these drafts should probably be discussed > together. > > --Ben > > [1] > https://datatracker.ietf.org/doc/draft-schwartz-modern-http-proxies/Modernizing > HTTP Forward Proxy Functionality > [2] https://www.w3.org/TR/capability-urls/ >
Received on Tuesday, 18 October 2022 16:16:44 UTC