IETF Logo Mail Archive

RE: explicitly authenticated proxy: new draft

"Richard Wheeldon (rwheeldo)" <rwheeldo@cisco.com> Mon, 26 May 2014 03:25 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 924CA1A0439 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 25 May 2014 20:25:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.153
X-Spam-Level:
X-Spam-Status: No, score=-15.153 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozas0c_Bw8Eg for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 25 May 2014 20:25:49 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01F571A044B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 25 May 2014 20:25:48 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WolUG-0000If-EL for ietf-http-wg-dist@listhub.w3.org; Mon, 26 May 2014 03:22:08 +0000
Resent-Date: Mon, 26 May 2014 03:22:08 +0000
Resent-Message-Id: <E1WolUG-0000If-EL@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <rwheeldo@cisco.com>) id 1WolU2-0000Hw-Rw for ietf-http-wg@listhub.w3.org; Mon, 26 May 2014 03:21:54 +0000
Received: from alln-iport-6.cisco.com ([173.37.142.93]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <rwheeldo@cisco.com>) id 1WolU1-0004t9-Oc for ietf-http-wg@w3.org; Mon, 26 May 2014 03:21:54 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2433; q=dns/txt; s=iport; t=1401074513; x=1402284113; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=O4bPDCItOIsSbgOxtiRGzXiWSBNj8wKYrrA3CXAfP5o=; b=NSsqpO1w07J/jPGFjiFtITtBD2FYgYroeKJu878EUEjLe0cuHDM2HBNT KmRXluH3eHfKE3xrzWWwOpD8Vv4fmBEPH9sPTI15TkdJrEcSO7Fz31s8F IAfJX82Ynlu9sbOq4lbzMmMPuQfabg84g0rMfPF9hOTMr3y5UBLjTS47I Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AsQIAHGyglOtJA2D/2dsb2JhbABZgwdSWKl0AQEBAQEBBQGYCgGBBhZ0giUBAQEEOj8MBAIBCBEEAQELFAkHMhQJCAIEDgUIAYg5Ddc0F4VViEwxBwaDJYEVBJswkWqDOGyBQw
X-IronPort-AV: E=Sophos;i="4.98,909,1392163200"; d="scan'208";a="47186288"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-6.cisco.com with ESMTP; 26 May 2014 03:21:26 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s4Q3LQ8l017289 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 26 May 2014 03:21:26 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.136]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.03.0123.003; Sun, 25 May 2014 22:21:26 -0500
From: "Richard Wheeldon (rwheeldo)" <rwheeldo@cisco.com>
To: Salvatore Loreto <salvatore.loreto@ericsson.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: explicitly authenticated proxy: new draft
Thread-Index: AQHPaC4sDNA/yLd9lk+UTL7xpzf7tJtR2Nmg
Date: Mon, 26 May 2014 03:21:25 +0000
Message-ID: <0566CA5E9B906D40B6737DD47DA9FB8F1AF8DFE5@xmb-rcd-x04.cisco.com>
References: <20140505064315.1441.11209.idtracker@ietfa.amsl.com> <91DEC006-177D-4624-8194-7B02BD221B92@ericsson.com>
In-Reply-To: <91DEC006-177D-4624-8194-7B02BD221B92@ericsson.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.117.201]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received-SPF: pass client-ip=173.37.142.93; envelope-from=rwheeldo@cisco.com; helo=alln-iport-6.cisco.com
X-W3C-Hub-Spam-Status: No, score=-13.5
X-W3C-Hub-Spam-Report: AWL=-0.292, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5
X-W3C-Scan-Sig: lisa.w3.org 1WolU1-0004t9-Oc d9c1ed1a0e82991804e649490e16a350
X-Original-To: ietf-http-wg@w3.org
Subject: RE: explicitly authenticated proxy: new draft
Archived-At: <http://www.w3.org/mid/0566CA5E9B906D40B6737DD47DA9FB8F1AF8DFE5@xmb-rcd-x04.cisco.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/23801
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Sorry for taking so long to get round to this. I've finally read through it. Whilst I fully appreciate the effort in trying to address the proxy cases, I'm a little bit concerned that by limiting it in scope to HTTP-only URLs we're still leaving the elephant in the room of organization-based HTTPS Inspection == MITM attack largely unaddressed. Also, I'd like to see an alteration such that either end-point could accept or reject connections based on TLS properties of the other - which is currently (and still in your draft) impossible. However, addressing these might put this in the scope of the TLS WG rather than the HTTP one but that's not my call to make.

It's a bit of a minor point, but I also find the use of "h2c" in a TLS negotiation ugly. Assuming that the c in h2c implies clear text, using it for an encrypted channel seems to be asking for confusion,

Richard

-----Original Message-----
From: Salvatore Loreto [mailto:salvatore.loreto@ericsson.com] 
Sent: 05 May 2014 07:50
To: ietf-http-wg@w3.org
Subject: explicitly authenticated proxy: new draft


we have produced a new draft that proposes the definition of an Explicitly Authenticated Proxy as intermediary of normally unprotected "http://" URI scheme requests and responses of HTTP2 traffic.

The Explicitly Authenticated Proxy is defined as a message forwarding agent that  is selected, with explicit user's consent, and configured by the user agent to receive exclusively "http" URI scheme requests and attempt to satisfy those requests on behalf of the user agent.  
A client is connected to an Explicitly Authenticated Proxy through an authenticated TLS secured connection.

The document describes also a method for a user agent to automatically discover and authenticate, and for an user to provide consent for an Explicitly Authenticated Proxy. 
This enables proxies communication to be encrypted and authenticated, explicitly acknowledged by the user agent and visible to the server end point.


URL:            http://www.ietf.org/internet-drafts/draft-loreto-httpbis-explicitly-auth-proxy-00.txt
Status:         https://datatracker.ietf.org/doc/draft-loreto-httpbis-explicitly-auth-proxy/
Htmlized:       http://tools.ietf.org/html/draft-loreto-httpbis-explicitly-auth-proxy-00


comments, suggestions and feedback are welcome

br
Salvatore

v2.23.0 | Report a Bug | By Email