Re: Comments on Explicit/Trusted Proxy
Werner Baumann <werner.baumann@onlinehome.de> Sun, 05 May 2013 08:43 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAA2C21F8FD6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 5 May 2013 01:43:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23a5Y1-XuapY for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 5 May 2013 01:42:57 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 531C221F8FBE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 5 May 2013 01:42:56 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UYuUa-00067o-Oq for ietf-http-wg-dist@listhub.w3.org; Sun, 05 May 2013 08:40:24 +0000
Resent-Date: Sun, 05 May 2013 08:40:24 +0000
Resent-Message-Id: <E1UYuUa-00067o-Oq@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <werner.baumann@onlinehome.de>) id 1UYuUM-00064p-5k for ietf-http-wg@listhub.w3.org; Sun, 05 May 2013 08:40:10 +0000
Received: from moutng.kundenserver.de ([212.227.126.186]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <werner.baumann@onlinehome.de>) id 1UYuUK-0000zO-PG for ietf-http-wg@w3.org; Sun, 05 May 2013 08:40:10 +0000
Received: from ginster.fritz.box (dtmd-4db26899.pool.mediaWays.net [77.178.104.153]) by mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id 0LbQ1i-1UAK2e21uc-00kr9W; Sun, 05 May 2013 10:39:42 +0200
Date: Sun, 05 May 2013 10:39:33 +0200
From: Werner Baumann <werner.baumann@onlinehome.de>
To: ietf-http-wg@w3.org
Message-ID: <20130505103933.4ccf0ef5@ginster.fritz.box>
In-Reply-To: <518554D1.7020901@cs.tcd.ie>
References: <em2a41028e-505a-4d9f-858e-341d3bf5e8d8@bombed> <5184E317.6070903@cs.tcd.ie> <CAP+FsNffGxaD3L2Ra8b_vqObO9X-FqELLO5g0cYM=uHFL0_yhQ@mail.gmail.com> <518554D1.7020901@cs.tcd.ie>
X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; i486-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V02:K0:gDfARVJE6B0EM7kdU3TLs8OUbG4YohBpCTu6aHqNHH4 UlPl29mjqi2UloQdRXnuKZeMu/jDV5/VM59qTloaqifupQvu8o AsrDKsDhVB+79pkcfKbdYRjtImoXGxNvLoJDPRKa6vzj36sgEa sRYy1OE3hIp4ozWR+/isqTfDZjnwvuDQB62C2fQTJQlBovAxig dVOmaYsOEybD6YfcBRie3T4tyh/Jv+QROHdw8IO72RwvZlWyUR ZTHPgMfjiYVtELkYFreVnZkt0jn+/8+RlDiUBpc/6mls/O1SiK NMqUQ1OtQs7Ll/YyjaBxL19Z+iwKboXjn+vvhU4fe1wA2Wo02J gi2wdFdVqz7Eu3YUPcmMymoK5eihrw8FISzYOP0a4
Received-SPF: none client-ip=212.227.126.186; envelope-from=werner.baumann@onlinehome.de; helo=moutng.kundenserver.de
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UYuUK-0000zO-PG 7bab788feb9e25c4654650f79544a784
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Comments on Explicit/Trusted Proxy
Archived-At: <http://www.w3.org/mid/20130505103933.4ccf0ef5@ginster.fritz.box>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17839
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Am Sat, 04 May 2013 19:34:57 +0100 schrieb Stephen Farrell <stephen.farrell@cs.tcd.ie>: > No, I'm not insulting anyone nor trying to. I am describing > the purported requirements here as mainly-bogus which is > pejorative but entirely different and is IMO justified. I > think emphasis on the bogosity of the purported requirements > is deserved. > ... > - Possible government mandated MITM attacks on IETF protocols > were a major factor in why we ended up with RFC2804. I suggest > that's required reading for people proposing work on this > topic. Definition of Wiretapping from RFC2804: Wiretapping is what occurs when information passed across the Internet from one party to one or more other parties is delivered to a third party: 1. Without the sending party knowing about the third party 2. Without any of the recipient parties knowing about the delivery to the third party 3. When the normal expectation of the sender is that the transmitted information will only be seen by the recipient parties or parties obliged to keep the information in confidence 4. When the third party acts deliberately to target the transmission of the first party, either because he is of interest, or because the second party's reception is of interest. An explicit trusted proxy does not meet this definition of wiretapping because of condition 1. Whether information is delivered to a third party at all depends on the administration of that proxy. End users will have to decide whether to trust it or not (which is much more easy done than to decide whether to trust some CA or not). All participants in this discussion that argued in favor of explicit trusted proxies did it to stop a situation where this is done without the end user knowing of the interception. The whole point of these proposals is to make the user aware of the proxy and to allow the user to either agree or deny. Start of not trying to insult section: Repeating the mantra "Don't open TLS to MITM attacks" is bogus in face of the well known fact that TLS is susceptible to MITM attacks (mostly due to not trustworthy CAs) and that this weakness is already widely exploited. Werner
- Reminder: Call for Proposals - HTTP/2.0 and HTTP … Mark Nottingham
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… James M Snell
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Mark Nottingham
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… James M Snell
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Willy Tarreau
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Mark Nottingham
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Willy Tarreau
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… James M Snell
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Peter Lepeska
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… William Chan (陈智昌)
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Peter Lepeska
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… William Chan (陈智昌)
- Re: Reminder: Call for Proposals - HTTP Authentic… Mark Nottingham
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP Authentic… Mark Nottingham
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- RE: Reminder: Call for Proposals - HTTP Authentic… Markus.Isomaki
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Peter Lepeska
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… William Chan (陈智昌)
- Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Yoav Nir
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Fabian Keil
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Albert Lunde
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Benjamin Carlyle
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Werner Baumann
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Yoav Nir
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Yoav Nir
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy