Re: Q: Automatic, secure proxy selection

Toerless Eckert <tte@cs.fau.de> Mon, 20 July 2020 07:43 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A50353A0815 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Jul 2020 00:43:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.919
X-Spam-Level:
X-Spam-Status: No, score=-2.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v8pNaSw_wrfF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Jul 2020 00:43:05 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBAF93A0814 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 20 Jul 2020 00:43:05 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jxQPW-0005ML-9n for ietf-http-wg-dist@listhub.w3.org; Mon, 20 Jul 2020 07:40:30 +0000
Resent-Date: Mon, 20 Jul 2020 07:40:30 +0000
Resent-Message-Id: <E1jxQPW-0005ML-9n@lyra.w3.org>
Received: from www-data by lyra.w3.org with local (Exim 4.92) (envelope-from <eckert@i4.informatik.uni-erlangen.de>) id 1jxQPV-0005LU-Cs for ietf-http-wg@listhub.w3.org; Mon, 20 Jul 2020 07:40:29 +0000
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <eckert@i4.informatik.uni-erlangen.de>) id 1jxQ5z-0001aL-2d for ietf-http-wg@listhub.w3.org; Mon, 20 Jul 2020 07:20:19 +0000
Received: from faui40.informatik.uni-erlangen.de ([131.188.34.40]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <eckert@i4.informatik.uni-erlangen.de>) id 1jxQ5w-0007zg-50 for ietf-http-wg@w3.org; Mon, 20 Jul 2020 07:20:18 +0000
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 88CFF548045; Mon, 20 Jul 2020 09:19:59 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 82775440043; Mon, 20 Jul 2020 09:19:59 +0200 (CEST)
Date: Mon, 20 Jul 2020 09:19:59 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Mark Nottingham <mnot@mnot.net>
Cc: ietf-http-wg@w3.org
Message-ID: <20200720071959.GM13675@faui48f.informatik.uni-erlangen.de>
References: <20200719165103.GK13675@faui48f.informatik.uni-erlangen.de> <D02F5373-03F7-470A-A589-44037841A478@mnot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <D02F5373-03F7-470A-A589-44037841A478@mnot.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
Received-SPF: pass client-ip=131.188.34.40; envelope-from=eckert@i4.informatik.uni-erlangen.de; helo=faui40.informatik.uni-erlangen.de
X-W3C-Hub-Spam-Status: No, score=-6.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jxQ5w-0007zg-50 f1a59b15ad31a2a1f9f3d96482cb0d26
X-caa-id: 4a713a0d5a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Q: Automatic, secure proxy selection
Archived-At: <https://www.w3.org/mid/20200720071959.GM13675@faui48f.informatik.uni-erlangen.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37888
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Mon, Jul 20, 2020 at 05:02:14PM +1000, Mark Nottingham wrote:
> This question is likely better asked on the DoH or another list, as it's not specific to HTTP.
> 

Thanks, Mark, i can ask there too, but i was thinking that the
particular proxy functionality would be specific to http.

E.g.: can i tunnel e2e encrypted through a http proxy ?

Cheers
  Toerless

> Cheers,
> 
> 
> > On 20 Jul 2020, at 2:51 am, Toerless Eckert <tte@cs.fau.de> wrote:
> > 
> > I hope a (simple?) user question is acceptable on this list, apologize if not.
> > 
> > What (if any) IETF/W3C standards exist to complete the following workflow:
> > 
> > - all for client/initiator (eg.: browser)
> > - Assume some DoH method for DNS lookups
> > - DNS lookup for www.example.com
> > - get in reply something like: (?)
> >    www.example.com trusts the following proxy.com
> > - Build TLS connection to proxy.com (?)
> > - Tunnel end-to-end https connection to www.example.com across (?)
> >    that TLS connection to proxy.com
> >    Aka: do not want proxy.com to be able to decrypt end-to-end payload.
> > 
> > Aka: I am am unclear if there are appropriate DNS RRs to support the
> > following steps and if/how it is actually possible to have end-to-end
> > encryption across such an also encrypted proxy connection. 
> > 
> > The use-case is obvious not to have network layer exposure on
> > the path between client and proxy that the connection is with www.example.com
> > and on path between proxy and www.example.com that connection is for client.
> > 
> > Thanks!
> >    Toerless
> > 
> > 
> > 
> 
> --
> Mark Nottingham   https://www.mnot.net/

-- 
---
tte@cs.fau.de