Q: Automatic, secure proxy selection

Toerless Eckert <tte@cs.fau.de> Mon, 20 July 2020 06:33 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 04C9A3A0BA9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 19 Jul 2020 23:33:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.919
X-Spam-Status: No, score=-2.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ggS7T7faxUNA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 19 Jul 2020 23:33:26 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97E8B3A0BA3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 19 Jul 2020 23:33:26 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jxPJn-00032h-Vh for ietf-http-wg-dist@listhub.w3.org; Mon, 20 Jul 2020 06:30:32 +0000
Resent-Date: Mon, 20 Jul 2020 06:30:31 +0000
Resent-Message-Id: <E1jxPJn-00032h-Vh@lyra.w3.org>
Received: from www-data by lyra.w3.org with local (Exim 4.92) (envelope-from <eckert@i4.informatik.uni-erlangen.de>) id 1jxPJm-00031v-KE for ietf-http-wg@listhub.w3.org; Mon, 20 Jul 2020 06:30:30 +0000
Received: from titan.w3.org ([]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <eckert@i4.informatik.uni-erlangen.de>) id 1jxCX0-0001TX-L2 for ietf-http-wg@listhub.w3.org; Sun, 19 Jul 2020 16:51:18 +0000
Received: from faui40.informatik.uni-erlangen.de ([]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <eckert@i4.informatik.uni-erlangen.de>) id 1jxCWz-0001UB-1e for ietf-http-wg@w3.org; Sun, 19 Jul 2020 16:51:18 +0000
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de []) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id D3C6654843F for <ietf-http-wg@w3.org>; Sun, 19 Jul 2020 18:51:03 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id C711A440043; Sun, 19 Jul 2020 18:51:03 +0200 (CEST)
Date: Sun, 19 Jul 2020 18:51:03 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: ietf-http-wg@w3.org
Message-ID: <20200719165103.GK13675@faui48f.informatik.uni-erlangen.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Received-SPF: pass client-ip=; envelope-from=eckert@i4.informatik.uni-erlangen.de; helo=faui40.informatik.uni-erlangen.de
X-W3C-Hub-Spam-Status: No, score=-3.2
X-W3C-Scan-Sig: titan.w3.org 1jxCWz-0001UB-1e e90e60252812ddc2bf6f3a8ebb7188fb
X-caa-id: 88757bdaf7
X-Original-To: ietf-http-wg@w3.org
Subject: Q: Automatic, secure proxy selection
Archived-At: <https://www.w3.org/mid/20200719165103.GK13675@faui48f.informatik.uni-erlangen.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37886
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I hope a (simple?) user question is acceptable on this list, apologize if not.

What (if any) IETF/W3C standards exist to complete the following workflow:

- all for client/initiator (eg.: browser)
- Assume some DoH method for DNS lookups
- DNS lookup for www.example.com
- get in reply something like: (?)
    www.example.com trusts the following proxy.com
- Build TLS connection to proxy.com (?)
- Tunnel end-to-end https connection to www.example.com across (?)
    that TLS connection to proxy.com
    Aka: do not want proxy.com to be able to decrypt end-to-end payload.

Aka: I am am unclear if there are appropriate DNS RRs to support the
following steps and if/how it is actually possible to have end-to-end
encryption across such an also encrypted proxy connection. 

The use-case is obvious not to have network layer exposure on
the path between client and proxy that the connection is with www.example.com
and on path between proxy and www.example.com that connection is for client.