Re: Comments on Explicit/Trusted Proxy
Benjamin Carlyle <benjamincarlyle@soundadvice.id.au> Thu, 02 May 2013 21:30 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A7321F8EAC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 May 2013 14:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.976
X-Spam-Level:
X-Spam-Status: No, score=-9.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 151zL2TJTizV for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 May 2013 14:30:37 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id F36A521F8AD5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 2 May 2013 14:30:36 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UY141-0004QD-MS for ietf-http-wg-dist@listhub.w3.org; Thu, 02 May 2013 21:29:17 +0000
Resent-Date: Thu, 02 May 2013 21:29:17 +0000
Resent-Message-Id: <E1UY141-0004QD-MS@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <fuzzybsc@gmail.com>) id 1UY13q-0004OA-Cz for ietf-http-wg@listhub.w3.org; Thu, 02 May 2013 21:29:06 +0000
Received: from mail-qa0-f43.google.com ([209.85.216.43]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <fuzzybsc@gmail.com>) id 1UY13p-0001Xs-AW for ietf-http-wg@w3.org; Thu, 02 May 2013 21:29:06 +0000
Received: by mail-qa0-f43.google.com with SMTP id bs12so31528qab.16 for <ietf-http-wg@w3.org>; Thu, 02 May 2013 14:28:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=/rzjVPvYOQRbC7GkGDbXax3lJbVhxPQNkO5siKRdW8M=; b=x/2DwyvPNd46vWioq8tVkXnVyMNEvBynp8Fo1c643EEbbUEVSjknOCFoTHAljdK5nM x1ojLAQxmDpoolPTZRkCrRwsjKnRgqkwboaf/pKct1wzkxJzfXJkkIX7Dyro4Vrhv/O9 dYq6W0ksNdt/9Z7UjC4B0+pHap65bnmAGkZUbmpg28y3CAAkmqVjjVcOzuHmnWfO0Aus 0bpkPDOpwQITS63HpYXARvj98At/jHyYTzs1vCuoCmBpeXce0vKMGd37drxw6SBygjqK WMQtMqcM03fZjix5H6svNrvqNpfMblguwjPVdU94oW7indS82msF3Zccum+YRT2jPwK5 eNeQ==
MIME-Version: 1.0
X-Received: by 10.224.127.131 with SMTP id g3mr9827330qas.91.1367530119731; Thu, 02 May 2013 14:28:39 -0700 (PDT)
Sender: fuzzybsc@gmail.com
Received: by 10.49.5.194 with HTTP; Thu, 2 May 2013 14:28:39 -0700 (PDT)
Received: by 10.49.5.194 with HTTP; Thu, 2 May 2013 14:28:39 -0700 (PDT)
In-Reply-To: <4AD81F91-9397-461D-A92D-0CC0FAD6C1E3@gmail.com>
References: <14A09626-8397-4656-A042-FEFDDD017C9F@mnot.net> <CANmPAYH60+wmeYQAikUd4ps3HdPQSm80TeZbMW37LioBYVj-7A@mail.gmail.com> <CAA4WUYjOPgCse6giEmy3f_MzRTC3K25oAWeAavHnzywc5pL91w@mail.gmail.com> <CANmPAYGr8QDhmLR50UzWYWK_fNYzGbF_P9EN0dOadmL-wQy61g@mail.gmail.com> <CAA4WUYjDoRFwPJNWzRqQHdBbV+DjF0mv8OO4RWTBSmh6=Dcnxw@mail.gmail.com> <CANmPAYEirEfpM6kEuxaM3OF7hsjWu8_Lr0aWfQ+btkEGOH3Vsw@mail.gmail.com> <CAA4WUYjGaZRVm3NtmT5qO3j7QKNZZiX7zBEV-pDhK0VGGSxuUg@mail.gmail.com> <896F1026-30C6-4397-B265-67285BFA9DDA@gmail.com> <517A5A3D.8030600@cs.tcd.ie> <19554DFB-5B05-495A-B006-EE55A32F3C44@gmail.com> <D6607F77-16B6-4434-82A5-2862615F673C@checkpoint.com> <0A3A9428-0064-4A2D-A726-19257C8BA8B7@gmail.com> <51822D46.6010109@cs.tcd.ie> <A161D29E-31F0-4453-ADAC-F359A4CCA642@gmail.com> <51827C97.2000303@cs.tcd.ie> <A18DFF8B-77A6-480F-BD2F-A7313B80CE58@gmail.com> <51827EF3.1060504@cs.tcd.ie> <5182837D.6040102@panix.com> <51828599.2050609@cs.tcd.ie> <4AD81F91-9397-461D-A92D-0CC0FAD6C1E3@gmail.com>
Date: Fri, 03 May 2013 07:28:39 +1000
X-Google-Sender-Auth: qIxzvemWD6EhZT6pUER6ylsa0NQ
Message-ID: <CAN2g+6boyxmfdHvaztGhtOc0zVhm4u1558MQv4z27EMr_5wB3g@mail.gmail.com>
From: Benjamin Carlyle <benjamincarlyle@soundadvice.id.au>
To: Peter Lepeska <bizzbyster@gmail.com>
Cc: ietf-http-wg@w3.org, Albert Lunde <atlunde@panix.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="001a11c1e2d201a62c04dbc2eb71"
Received-SPF: pass client-ip=209.85.216.43; envelope-from=fuzzybsc@gmail.com; helo=mail-qa0-f43.google.com
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-2.711, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1UY13p-0001Xs-AW b7f309bb2e9a4ea333c00cd7cd53ba27
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Comments on Explicit/Trusted Proxy
Archived-At: <http://www.w3.org/mid/CAN2g+6boyxmfdHvaztGhtOc0zVhm4u1558MQv4z27EMr_5wB3g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17789
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
My biggest issue with the transition to SSL has been the reduced security it affords to M2M uses of http. I used to be able to throw a firewall in between two railway systems that filters messages by method and URI regex to limit the damage one compromised system can do to the next system down the line. These are already private networks so although the extra layer of protection is welcome, it is not strictly necessary. I'm still pondering the precise solution on this one. At present it seems to be to offload the SSL to the firewall also and to install each system's certificates on their firewalls instead of on their servers, and then do another SSL hop to the servers using a different certificate. This seems more or less reasonable so probably doesn't necessitate a protocol change, but at least for the moment adds cost to the solution that wasn't previously there. Many firewalls are capable of http filtering but not of SSL offload. I guess the central use case here is "I don't want to read your messages. I don't want to store them. I don't want a human to see them, but I want to check to ensure they comply with policy" - a difficult one.
- Reminder: Call for Proposals - HTTP/2.0 and HTTP … Mark Nottingham
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… James M Snell
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Mark Nottingham
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… James M Snell
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Willy Tarreau
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Mark Nottingham
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Willy Tarreau
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… James M Snell
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Peter Lepeska
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… William Chan (陈智昌)
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Peter Lepeska
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… William Chan (陈智昌)
- Re: Reminder: Call for Proposals - HTTP Authentic… Mark Nottingham
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP Authentic… Mark Nottingham
- RE: Reminder: Call for Proposals - HTTP Authentic… lionel.morand
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Nicolas Mailhot
- RE: Reminder: Call for Proposals - HTTP Authentic… Markus.Isomaki
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… Peter Lepeska
- Re: Reminder: Call for Proposals - HTTP/2.0 and H… William Chan (陈智昌)
- Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Yoav Nir
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Fabian Keil
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Albert Lunde
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Peter Lepeska
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Benjamin Carlyle
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Roberto Peon
- Re: Comments on Explicit/Trusted Proxy Werner Baumann
- Re: Comments on Explicit/Trusted Proxy Stephen Farrell
- Re: Comments on Explicit/Trusted Proxy Yoav Nir
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy
- Re: Comments on Explicit/Trusted Proxy Yoav Nir
- Re: Comments on Explicit/Trusted Proxy Adrien W. de Croy