- From: Ben Schwartz <bemasc@google.com>
- Date: Tue, 18 Oct 2022 12:17:58 -0400
- To: Ryan Hamilton <rch@google.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAHbrMsDgAxqm+iGm0-3rd050OmbiwBS0LY0M41Wi8dwqvAZ+tA@mail.gmail.com>
Thanks, the link got mangled. I meant https://datatracker.ietf.org/doc/draft-schwartz-modern-http-proxies/ On Tue, Oct 18, 2022 at 12:16 PM Ryan Hamilton <rch@google.com> wrote: > I think [1] should perhaps be > https://www.ietf.org/id/draft-schwartz-modern-http-proxies-00.html? > > On Tue, Oct 18, 2022 at 9:14 AM Ben Schwartz <bemasc@google.com> wrote: > >> I support the goals of the Unprompted Authentication draft. In fact, I'm >> so supportive that I recently posted a draft that happens to solve an >> overlapping problem in a very different way: "Modernizing HTTP Forward >> Proxy Functionality" [1]. >> >> To step back: confidential HTTP _resources_ are arguably a solved >> problem. We can simply place the resource at an unguessable path (e.g. >> "capability URLs" [2]). The problem mentioned by this draft occurs when >> the HTTP service is origin-scoped (e.g. it is not a resource). The only >> non-resource HTTP service that I'm aware of is forward proxy >> functionality. Thus, one way to improve confidentiality of proxies is to >> make them path-scoped, and this is what the "Modernizing" draft does. >> >> These proposals are not mutually exclusive. Path-scoped proxies have >> other benefits, and unprompted authentication could be useful for other >> services with inflexible paths (e.g. .well-known/ resources). However, >> given the overlapping use cases, these drafts should probably be discussed >> together. >> >> --Ben >> >> [1] >> https://datatracker.ietf.org/doc/draft-schwartz-modern-http-proxies/Modernizing >> HTTP Forward Proxy Functionality >> [2] https://www.w3.org/TR/capability-urls/ >> >
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Tuesday, 18 October 2022 16:18:23 UTC