Re: new version trusted-proxy20 draft
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 24 February 2014 09:02 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C7121A0837 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 24 Feb 2014 01:02:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.749
X-Spam-Level:
X-Spam-Status: No, score=-4.749 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8lkEoF4zDLx for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 24 Feb 2014 01:02:24 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id D467D1A0743 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 24 Feb 2014 01:02:24 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WHrPf-00074L-L2 for ietf-http-wg-dist@listhub.w3.org; Mon, 24 Feb 2014 09:01:23 +0000
Resent-Date: Mon, 24 Feb 2014 09:01:23 +0000
Resent-Message-Id: <E1WHrPf-00074L-L2@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <ilari.liusvaara@elisanet.fi>) id 1WHrPV-00073V-94 for ietf-http-wg@listhub.w3.org; Mon, 24 Feb 2014 09:01:13 +0000
Received: from emh03.mail.saunalahti.fi ([62.142.5.109]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <ilari.liusvaara@elisanet.fi>) id 1WHrPU-0000pz-4N for ietf-http-wg@w3.org; Mon, 24 Feb 2014 09:01:13 +0000
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 56E7C1888C5; Mon, 24 Feb 2014 11:00:49 +0200 (EET)
Date: Mon, 24 Feb 2014 11:00:49 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Salvatore Loreto <salvatore.loreto@ericsson.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140224090049.GA9816@LK-Perkele-VII>
References: <20140214184207.27936.53657.idtracker@ietfa.amsl.com> <449272CA-71CB-4D7D-B431-A42140346B27@ericsson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <449272CA-71CB-4D7D-B431-A42140346B27@ericsson.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Received-SPF: pass client-ip=62.142.5.109; envelope-from=ilari.liusvaara@elisanet.fi; helo=emh03.mail.saunalahti.fi
X-W3C-Hub-Spam-Status: No, score=-4.2
X-W3C-Hub-Spam-Report: AWL=-2.320, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1WHrPU-0000pz-4N 4b574bf136f7ffa29c1586580b48ce67
X-Original-To: ietf-http-wg@w3.org
Subject: Re: new version trusted-proxy20 draft
Archived-At: <http://www.w3.org/mid/20140224090049.GA9816@LK-Perkele-VII>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22362
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Fri, Feb 14, 2014 at 06:56:14PM +0000, Salvatore Loreto wrote: > > URL: http://www.ietf.org/internet-drafts/draft-loreto-httpbis-trusted-proxy20-01.txt Some comments: 1) As others have said, unnecressarily admitting to possible attackers that connections aren't really protected is not a good idea. 2) The downgrade to HTTP/1.1 for proxy setup looks really odd, and should be over TLS too. 3) Leaving manual configuration aside, there is certain merit to the idea that network is able to force a proxy. OTOH, the arising security issues aren't trivial (understatement). 4) One idea would be h2p / h2pxy / h2proxy protocol, which would be HTTP/2 with some extensions for proxy operation, like additional response codes, proxy being able to respond for itself, browser being able to send request to proxy, proxy relaying certificate info, etc... 5) Regarding to usescases, protocol conforming to principle of least priviledge and accomodiating all or even most of those (goes up to "Tom's Rural broadband" right now) would likely be hideously complicated mess of crypto. 6) Because of the last, one is pretty much limited to no trust (CONNECT) or full trust (GET/POST/PUT). -Ilari
- new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Patrick McManus
- Re: new version trusted-proxy20 draft Thomas Fossati
- Re: new version trusted-proxy20 draft Thomas Fossati
- Re: new version trusted-proxy20 draft Paul Hoffman
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Patrick McManus
- Re: new version trusted-proxy20 draft Nicolas Mailhot
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Fabian Keil
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Patrick McManus
- Re: new version trusted-proxy20 draft Paul Hoffman
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft Paul Hoffman
- Re: new version trusted-proxy20 draft Paul Hoffman
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Thomas Fossati
- Re: new version trusted-proxy20 draft Thomas Fossati
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft Nicolas Mailhot
- Re: new version trusted-proxy20 draft Nicolas Mailhot
- Re: new version trusted-proxy20 draft Fabian Keil
- Re: new version trusted-proxy20 draft Amos Jeffries
- Re: new version trusted-proxy20 draft Peter Lepeska
- Re: new version trusted-proxy20 draft Paul Hoffman
- Re: new version trusted-proxy20 draft Thomas Fossati
- Re: new version trusted-proxy20 draft Patrick McManus
- Re: new version trusted-proxy20 draft Patrick McManus
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Thomas Fossati
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- RE: new version trusted-proxy20 draft Liliana Dinale
- Re: new version trusted-proxy20 draft Roland Zink
- Re: new version trusted-proxy20 draft Patrick McManus
- Re: new version trusted-proxy20 draft Ilari Liusvaara
- "Secure" proxies for HTTP URIs [was: new version … Mark Nottingham
- Re: "Secure" proxies for HTTP URIs [was: new vers… William Chan (陈智昌)
- Re: "Secure" proxies for HTTP URIs [was: new vers… Mark Nottingham
- Re: "Secure" proxies for HTTP URIs [was: new vers… William Chan (陈智昌)
- Re: new version trusted-proxy20 draft Ilari Liusvaara
- Re: new version trusted-proxy20 draft Mikael Abrahamsson
- Re: "Secure" proxies for HTTP URIs [was: new vers… Amos Jeffries
- Re: "Secure" proxies for HTTP URIs [was: new vers… Salvatore Loreto
- Re: "Secure" proxies for HTTP URIs [was: new vers… Nicolas Mailhot
- Re: "Secure" proxies for HTTP URIs [was: new vers… Nicolas Mailhot
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft Mikael Abrahamsson
- Re: new version trusted-proxy20 draft Ilari Liusvaara
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: "Secure" proxies for HTTP URIs [was: new vers… Patrick McManus
- Re: new version trusted-proxy20 draft Nicolas Mailhot
- Re: "Secure" proxies for HTTP URIs [was: new vers… Salvatore Loreto
- Re: new version trusted-proxy20 draft Bjoern Hoehrmann
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft Salvatore Loreto
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft Paul Ferguson
- Re: "Secure" proxies for HTTP URIs [was: new vers… James Cloos
- Re: "Secure" proxies for HTTP URIs [was: new vers… Nicolas Mailhot
- Re: new version trusted-proxy20 draft Roland Zink
- Re: new version trusted-proxy20 draft Ryan Hamilton
- Re: new version trusted-proxy20 draft Peter Lepeska
- Re: new version trusted-proxy20 draft Jeff Pinner
- Re: "Secure" proxies for HTTP URIs [was: new vers… Amos Jeffries
- Re: new version trusted-proxy20 draft Peter Lepeska
- Re: "Secure" proxies for HTTP URIs [was: new vers… Peter Lepeska
- Re: "Secure" proxies for HTTP URIs [was: new vers… William Chan (陈智昌)
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: new version trusted-proxy20 draft Peter Lepeska
- Re: new version trusted-proxy20 draft William Chan (陈智昌)
- Re: "Secure" proxies for HTTP URIs [was: new vers… Peter Lepeska
- Re: "Secure" proxies for HTTP URIs [was: new vers… Amos Jeffries
- Re: "Secure" proxies for HTTP URIs [was: new vers… Peter Lepeska
- Re: new version trusted-proxy20 draft Amos Jeffries
- Secure Proxy definition [was: "Secure" proxies fo… Salvatore Loreto
- Re: Secure Proxy definition [was: "Secure" proxie… Peter Lepeska
- Re: "Secure" proxies for HTTP URIs [was: new vers… Amos Jeffries
- RE: Secure Proxy definition [was: "Secure" proxie… emile.stephan
- RE: Secure Proxy definition [was: "Secure" proxie… DRUTA, DAN
- RE: Secure Proxy definition [was: "Secure" proxie… Nicolas Mailhot
- Re: "Secure" proxies for HTTP URIs [was: new vers… Peter Lepeska
- Re: "Secure" proxies for HTTP URIs [was: new vers… Nicolas Mailhot
- Re: "Secure" proxies for HTTP URIs [was: new vers… Roland Zink