IETF Logo Mail Archive

RE: new version trusted-proxy20 draft

Liliana Dinale <liliana.dinale@ericsson.com> Thu, 20 February 2014 11:50 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0FE51A00BB for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 20 Feb 2014 03:50:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.7
X-Spam-Level:
X-Spam-Status: No, score=-4.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJ6Dp1qAhoqf for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 20 Feb 2014 03:50:06 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 2B6D91A00BC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 20 Feb 2014 03:50:00 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WGS6d-0003sG-4t for ietf-http-wg-dist@listhub.w3.org; Thu, 20 Feb 2014 11:47:55 +0000
Resent-Date: Thu, 20 Feb 2014 11:47:55 +0000
Resent-Message-Id: <E1WGS6d-0003sG-4t@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <liliana.dinale@ericsson.com>) id 1WGS6N-0003qM-Ql for ietf-http-wg@listhub.w3.org; Thu, 20 Feb 2014 11:47:39 +0000
Received: from usevmg20.ericsson.net ([198.24.6.45]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <liliana.dinale@ericsson.com>) id 1WGS6M-0005hI-Me for ietf-http-wg@w3.org; Thu, 20 Feb 2014 11:47:39 +0000
X-AuditID: c618062d-b7f858e0000031c7-15-5305eb3cea3b
Received: from EUSAAHC004.ericsson.se (Unknown_Domain [147.117.188.84]) by usevmg20.ericsson.net (Symantec Mail Security) with SMTP id C4.CA.12743.C3BE5035; Thu, 20 Feb 2014 12:47:08 +0100 (CET)
Received: from EUSAAMB103.ericsson.se ([147.117.188.120]) by EUSAAHC004.ericsson.se ([147.117.188.84]) with mapi id 14.02.0387.000; Thu, 20 Feb 2014 06:47:11 -0500
From: Liliana Dinale <liliana.dinale@ericsson.com>
To: "William Chan (陈智昌)" <willchan@chromium.org>, Salvatore Loreto <salvatore.loreto@ericsson.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>, "draft-loreto-httpbis-trusted-proxy20@tools.ietf.org" <draft-loreto-httpbis-trusted-proxy20@tools.ietf.org>, GUS BOURG <gb3635@att.com>
Thread-Topic: new version trusted-proxy20 draft
Thread-Index: AQHPLdRNz1Faf16XFEyFb0trBIo0RJq+BLAw
Date: Thu, 20 Feb 2014 11:47:10 +0000
Message-ID: <C568329646D64E45B76A79E2D97FC1BE1C3A03F1@eusaamb103.ericsson.se>
References: <20140214184207.27936.53657.idtracker@ietfa.amsl.com> <449272CA-71CB-4D7D-B431-A42140346B27@ericsson.com> <CAOdDvNrV29awDh07ELasMQW8LsVgELLnRUKQG155JqoYpoJBbQ@mail.gmail.com> <ADDC3F82-3CE3-48C9-8765-7956DB4AF5EF@ericsson.com> <CAOdDvNrfHDdvwEMRdzMjuedN2OpCnwSyxeERVe-p6y9e-o6Wow@mail.gmail.com> <31144FD3-F1B4-497E-9D8E-DC3A3F5C4F8C@ericsson.com> <CAOdDvNrp6AsnnMAqbxT5Bs+agNTeadsZw+2gMsjUXPVvnpBDdg@mail.gmail.com> <CAA4WUYgBZ5US4p=cXYMSR7dz3jCMfz29=1eWp7HGuUphxZQOHw@mail.gmail.com> <CAPik8yZpWyHSa49jpYG3mMMPwYeWvgd6PB6NW65Kj3qTkU8CGQ@mail.gmail.com> <CAA4WUYjpOBXJpm_AkN9rwXkT6YyNFEKf6r+pFChnz+t33NSuhw@mail.gmail.com> <CANmPAYEgC8TdfxpXzg9DkdqYCVxDkf=RRfYtx+wC=zqVUNVv-Q@mail.gmail.com> <CAA4WUYiad1gSi2WinpKXt=n-UNWQuZ5fAxVzV=ACxJOD8OKizw@mail.gmail.com> <F5F276D2-83C8-4F10-8A3D-F6FC6E888E42@ericsson.com> <CAA4WUYinYSeUq3W8L+9Fs42wMmEtb2m-LAE99fzD-pgjmAGoEg@mail.gmail.com>
In-Reply-To: <CAA4WUYinYSeUq3W8L+9Fs42wMmEtb2m-LAE99fzD-pgjmAGoEg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.10]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrMLMWRmVeSWpSXmKPExsUyuXRPiK7Na9Zgg1k/JCzenrjEZDHjxTV2 i8Mts5gsvjV/Z3Jg8XjZP4fRY3bDRRaPL5c/s3kcnbefNYAlissmJTUnsyy1SN8ugStj8dmD TAXf9CvmbHvH2sB4Q6+LkZNDQsBEYmXXOlYIW0ziwr31bF2MXBxCAkcYJfpuPGGBcJYzSny5 fZMZpIpNwEjixuvzLCC2iEClxKk1l8CKmAV2M0q8/XmDDSQhLKAncXHHSjaIIn2J9y1XGSFs I4nLF06wdzFycLAIqEpc26MFEuYV8JWYsLSJEWLZDHaJDzdPgNVzCgRKfJ54hB3EZgQ67/up NUwgNrOAuMStJ/OZIM4WkFiy5zwzhC0q8fLxP6h3lCQmLT3HClGvJTGv4TdUr6LElO6H7BCL BSVOznzCMoFRbBaSsbOQtMxC0jILScsCRpZVjBylxalluelGBpsYgRF1TIJNdwfjnpeWhxil OViUxHm/vHUOEhJITyxJzU5NLUgtii8qzUktPsTIxMEp1cAYMnGXkknPvDyjL8etVlw5svqQ puwut6bGJT2xskrhl3wPy+3Uj0kRD54+bccEj9v102a7v2zarWlz6cQ997v/Ds2ceiZl9oxE /gMfDy+e71Qj66IgILF8et3DuXZ5XRNfnHJh+yy8fOea601SPKdXxt5/e2/thZeSO+P3lNQs VzF59KN+wYYETyWW4oxEQy3mouJEADNj/mB2AgAA
Received-SPF: pass client-ip=198.24.6.45; envelope-from=liliana.dinale@ericsson.com; helo=usevmg20.ericsson.net
X-W3C-Hub-Spam-Status: No, score=-0.0
X-W3C-Hub-Spam-Report: SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1WGS6M-0005hI-Me 1b573be5d053d4f2d1d9a6f954ff0ade
X-Original-To: ietf-http-wg@w3.org
Subject: RE: new version trusted-proxy20 draft
Archived-At: <http://www.w3.org/mid/C568329646D64E45B76A79E2D97FC1BE1C3A03F1@eusaamb103.ericsson.se>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22311
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

 
Dear all
Let me first introduce myself. I will start attending IETF at the London meeting joining your WG and looking forward to work with you. It is my pleasure to announce the fact that Ericsson plans to show a demo implmenting the UA and the Proxy solution.


Thank you and kind regards,
Liliana


-----Original Message-----
From: willchan@google.com [mailto:willchan@google.com] On Behalf Of William Chan (???)
Sent: February-19-14 7:40 PM
To: Salvatore Loreto
Cc: Peter Lepeska; Paul Hoffman; Patrick McManus; HTTP Working Group; draft-loreto-httpbis-trusted-proxy20@tools.ietf.org; GUS BOURG
Subject: Re: new version trusted-proxy20 draft

On Wed, Feb 19, 2014 at 1:17 PM, Salvatore Loreto <salvatore.loreto@ericsson.com> wrote:
>
> On Feb 19, 2014, at 7:09 PM, William Chan (陈智昌) <willchan@chromium.org> wrote:
>
>> Yeah, I'd like to see the "secure proxy" proposal separated out from 
>> the "trusted proxy" proposal. Let's move forward on the "secure proxy"
>> one. I think the "trusted proxy" proposal is more complicated.
>
> I agree
> and the draft is really proposing a "secure proxy" solution in line 
> with your definition of "secure proxy"
>
> indeed we are only proposing the possibility for the proxy to ask 
> consent to opt in for http:// resources traffic

Let's be clear, these are two different things. There's "secure proxy"
which is securing the connection between the proxy and the client. I'm supportive of standardizing this. Then there's this opting into allowing http:// resources to be sniffed by signaling it via ALPN.
What's the value proposition here? Why not issue the request to the proxy if you want to let it see it, just like we do for configured HTTP proxies?

>
> /Sal
>
>
>>
>> On Wed, Feb 19, 2014 at 7:30 AM, Peter Lepeska <bizzbyster@gmail.com> wrote:
>>> My two takeaways from Zurich on trusted proxy were as follows:
>>>
>>> 1) We need to look at use cases of trusted proxy and seek 
>>> alternative technologies. I've attempted to start this process on 
>>> another thread, which I believe shows current (and future) 
>>> alternatives are partial solutions that we can conclude are 
>>> inadequate overall in delivering the functionality and performance users/admins/service providers demand.
>>> 2) Until someone proposes a UI for opt-in and opt-out of trusted 
>>> proxy that is both user friendly and does not make MITM attacks 
>>> (rogue trusted proxies) easier to execute, then the debate on this 
>>> topic is at a standstill. I am working on ideas in this area but it will take more than just a few weeks.
>>> It would be really great if others got involved.
>>>
>>> Salvatore's draft has some really good ideas but it does not attempt 
>>> to address #2 above, which most agreed was the sticking point on 
>>> trusted proxy, which we distinguish from "secure proxy" by the fact 
>>> that a trusted proxy can see https-schemed traffic in plaintext.
>>>
>>> Peter
>>>
>>>
>>> On Tue, Feb 18, 2014 at 11:54 PM, William Chan (陈智昌) 
>>> <willchan@chromium.org>
>>> wrote:
>>>>
>>>> On Tue, Feb 18, 2014 at 8:18 PM, Paul Hoffman 
>>>> <paul.hoffman@gmail.com>
>>>> wrote:
>>>>> On Tue, Feb 18, 2014 at 6:02 PM, William Chan (陈智昌)
>>>>> <willchan@chromium.org>
>>>>> wrote:
>>>>>>
>>>>>>
>>>>>> And furthermore, I should add that I don't really think it's in 
>>>>>> the users' interests to have an intermediary be able to snoop 
>>>>>> listen in on all their https traffic. I don't really see the 
>>>>>> value for end users in standardizing any mechanism for doing this. Is there any?
>>>>>
>>>>>
>>>>> This still comes back to the theory that a trusted, explicit 
>>>>> firewall, such as a corporate firewall, should be able to snoop on 
>>>>> all traffic leaving the protected network. There are plenty of 
>>>>> good reasons to do this, and plenty of people who disagree that 
>>>>> there are any possible reasons.
>>>>
>>>> Good point. This is a controversial topic that we're unlikely to 
>>>> see consensus on in the near future. Let me ask another question. 
>>>> Is there a user agent that plans on supporting this proposal? At 
>>>> the Zurich interim, IIRC, Patrick (Firefox), Rob (IE/WinInet), and 
>>>> I (Chromium) all said we do not support this. If that's in error, please speak up.
>>>> Otherwise, if no user agent plans on supporting this, I don't see 
>>>> the value of standardizing this.
>>>>
>>>
>

v2.23.0 | Report a Bug | By Email