Re: Comments on Explicit/Trusted Proxy

Benjamin Carlyle <benjamincarlyle@soundadvice.id.au> Thu, 02 May 2013 21:30 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A7321F8EAC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 May 2013 14:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.976
X-Spam-Level:
X-Spam-Status: No, score=-9.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 151zL2TJTizV for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 May 2013 14:30:37 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id F36A521F8AD5 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 2 May 2013 14:30:36 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UY141-0004QD-MS for ietf-http-wg-dist@listhub.w3.org; Thu, 02 May 2013 21:29:17 +0000
Resent-Date: Thu, 02 May 2013 21:29:17 +0000
Resent-Message-Id: <E1UY141-0004QD-MS@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <fuzzybsc@gmail.com>) id 1UY13q-0004OA-Cz for ietf-http-wg@listhub.w3.org; Thu, 02 May 2013 21:29:06 +0000
Received: from mail-qa0-f43.google.com ([209.85.216.43]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <fuzzybsc@gmail.com>) id 1UY13p-0001Xs-AW for ietf-http-wg@w3.org; Thu, 02 May 2013 21:29:06 +0000
Received: by mail-qa0-f43.google.com with SMTP id bs12so31528qab.16 for <ietf-http-wg@w3.org>; Thu, 02 May 2013 14:28:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=/rzjVPvYOQRbC7GkGDbXax3lJbVhxPQNkO5siKRdW8M=; b=x/2DwyvPNd46vWioq8tVkXnVyMNEvBynp8Fo1c643EEbbUEVSjknOCFoTHAljdK5nM x1ojLAQxmDpoolPTZRkCrRwsjKnRgqkwboaf/pKct1wzkxJzfXJkkIX7Dyro4Vrhv/O9 dYq6W0ksNdt/9Z7UjC4B0+pHap65bnmAGkZUbmpg28y3CAAkmqVjjVcOzuHmnWfO0Aus 0bpkPDOpwQITS63HpYXARvj98At/jHyYTzs1vCuoCmBpeXce0vKMGd37drxw6SBygjqK WMQtMqcM03fZjix5H6svNrvqNpfMblguwjPVdU94oW7indS82msF3Zccum+YRT2jPwK5 eNeQ==
MIME-Version: 1.0
X-Received: by 10.224.127.131 with SMTP id g3mr9827330qas.91.1367530119731; Thu, 02 May 2013 14:28:39 -0700 (PDT)
Sender: fuzzybsc@gmail.com
Received: by 10.49.5.194 with HTTP; Thu, 2 May 2013 14:28:39 -0700 (PDT)
Received: by 10.49.5.194 with HTTP; Thu, 2 May 2013 14:28:39 -0700 (PDT)
In-Reply-To: <4AD81F91-9397-461D-A92D-0CC0FAD6C1E3@gmail.com>
References: <14A09626-8397-4656-A042-FEFDDD017C9F@mnot.net> <CANmPAYH60+wmeYQAikUd4ps3HdPQSm80TeZbMW37LioBYVj-7A@mail.gmail.com> <CAA4WUYjOPgCse6giEmy3f_MzRTC3K25oAWeAavHnzywc5pL91w@mail.gmail.com> <CANmPAYGr8QDhmLR50UzWYWK_fNYzGbF_P9EN0dOadmL-wQy61g@mail.gmail.com> <CAA4WUYjDoRFwPJNWzRqQHdBbV+DjF0mv8OO4RWTBSmh6=Dcnxw@mail.gmail.com> <CANmPAYEirEfpM6kEuxaM3OF7hsjWu8_Lr0aWfQ+btkEGOH3Vsw@mail.gmail.com> <CAA4WUYjGaZRVm3NtmT5qO3j7QKNZZiX7zBEV-pDhK0VGGSxuUg@mail.gmail.com> <896F1026-30C6-4397-B265-67285BFA9DDA@gmail.com> <517A5A3D.8030600@cs.tcd.ie> <19554DFB-5B05-495A-B006-EE55A32F3C44@gmail.com> <D6607F77-16B6-4434-82A5-2862615F673C@checkpoint.com> <0A3A9428-0064-4A2D-A726-19257C8BA8B7@gmail.com> <51822D46.6010109@cs.tcd.ie> <A161D29E-31F0-4453-ADAC-F359A4CCA642@gmail.com> <51827C97.2000303@cs.tcd.ie> <A18DFF8B-77A6-480F-BD2F-A7313B80CE58@gmail.com> <51827EF3.1060504@cs.tcd.ie> <5182837D.6040102@panix.com> <51828599.2050609@cs.tcd.ie> <4AD81F91-9397-461D-A92D-0CC0FAD6C1E3@gmail.com>
Date: Fri, 3 May 2013 07:28:39 +1000
X-Google-Sender-Auth: qIxzvemWD6EhZT6pUER6ylsa0NQ
Message-ID: <CAN2g+6boyxmfdHvaztGhtOc0zVhm4u1558MQv4z27EMr_5wB3g@mail.gmail.com>
From: Benjamin Carlyle <benjamincarlyle@soundadvice.id.au>
To: Peter Lepeska <bizzbyster@gmail.com>
Cc: ietf-http-wg@w3.org, Albert Lunde <atlunde@panix.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary=001a11c1e2d201a62c04dbc2eb71
Received-SPF: pass client-ip=209.85.216.43; envelope-from=fuzzybsc@gmail.com; helo=mail-qa0-f43.google.com
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-2.711, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1UY13p-0001Xs-AW b7f309bb2e9a4ea333c00cd7cd53ba27
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Comments on Explicit/Trusted Proxy
Archived-At: <http://www.w3.org/mid/CAN2g+6boyxmfdHvaztGhtOc0zVhm4u1558MQv4z27EMr_5wB3g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17789
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

My biggest issue with the transition to SSL has been the reduced security
it affords to M2M uses of http. I used to be able to throw a firewall in
between two railway systems that filters messages by method and URI regex
to limit the damage one compromised system can do to the next system down
the line. These are already private networks so although the extra layer of
protection is welcome, it is not strictly necessary.
I'm still pondering the precise solution on this one. At present it seems
to be to offload the SSL to the firewall also and to install each system's
certificates on their firewalls instead of on their servers, and then do
another SSL hop to the servers using a different certificate. This seems
more or less reasonable so probably doesn't necessitate a protocol change,
but at least for the moment adds cost to the solution that wasn't
previously there. Many firewalls are capable of http filtering but not of
SSL offload.
I guess the central use case here is "I don't want to read your messages. I
don't want to store them. I don't want a human to see them, but I want to
check to ensure they comply with policy" - a difficult one.