Re: Q: Automatic, secure proxy selection

Mark Nottingham <mnot@mnot.net> Mon, 20 July 2020 07:05 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9BCC3A03FF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Jul 2020 00:05:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.019
X-Spam-Level:
X-Spam-Status: No, score=-3.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=mXrCkAHj; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=niIgIRJ4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVV0RYwGtEXq for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Jul 2020 00:05:35 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A0B73A03F4 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 20 Jul 2020 00:05:34 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jxPor-0007rX-CR for ietf-http-wg-dist@listhub.w3.org; Mon, 20 Jul 2020 07:02:37 +0000
Resent-Date: Mon, 20 Jul 2020 07:02:37 +0000
Resent-Message-Id: <E1jxPor-0007rX-CR@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1jxPop-0007qm-Vv for ietf-http-wg@listhub.w3.org; Mon, 20 Jul 2020 07:02:36 +0000
Received: from out1-smtp.messagingengine.com ([66.111.4.25]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mnot@mnot.net>) id 1jxPoo-0007ch-6A for ietf-http-wg@w3.org; Mon, 20 Jul 2020 07:02:35 +0000
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 97DD75C0093; Mon, 20 Jul 2020 03:02:20 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 20 Jul 2020 03:02:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=U somDTFQHz9J+ghjsL7c2q6skYtDgnJ9izI0rzwsYk0=; b=mXrCkAHjdpgKMhrfk sMu90YRf/1UToLSwugbYQuTHP5FJTnlnkcix2pXDchNPNpROT0enTcwc7+NjVzyv YUtGNhY+txb7D6pWx9rBNqwKWCtFiC0ZbrWJKv+g5K6wWQm0mgXpf1Sk3q+klTlw FBWiYwYC23f8UaKfeuMjbylWEXExdhVvjHGk3Gvee/Ae+GJ5+VMEUBIdTA+kHMa+ 6BKLXZAu2NUhABfkMk641tC5VSnZvARgyeHgOYlIUrez0W/N/+OZ/Z3e0kedRQVW iP8EsRraSXsf/MLVxHvvWg3kdfsZ7NcLYM+iaXZaaY+bbnUyq+XP8gp1dHpMSzV0 sAVFw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=UsomDTFQHz9J+ghjsL7c2q6skYtDgnJ9izI0rzwsY k0=; b=niIgIRJ47DOlYMnD6Q3aTT+hWyme9Kh+rL26l6dVtVHuBH69GbxLmvTNs WF/evn1dBYOq5NJF+2/fwFUM9lh3hnYony3m+E0tv5kX9xLw5ZIVMaG2Vx7gShQb tE9CWjt2ZGqzxr6dtCrhPOcTCVh5MCVXZsmn/alyD0LT3EHTYxHlZdqjSrwqqjHs YD3Gp+eQq/lENN3jW0jQzp4a3jvc64/MmLwDl3vuABBOmVocBEelX8hfFpvZMy9L 1k09xJTLlHs7W52jpKbqHqrLkntr/TLU158vrwmWu0YTXu1Cfx33HjFkAIVsOk07 hWb6wq3e/wQPyd7ETydRRC/lbTXGA==
X-ME-Sender: <xms:e0EVXyBeB19Z_wLronQib7Tts4beJldxSlckhk-WiUkzpyOjNw5fcA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrgedvgddutdelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpegtggfuhfgjfffgkfhfvffosehtqh hmtdhhtddvnecuhfhrohhmpeforghrkhcupfhothhtihhnghhhrghmuceomhhnohhtsehm nhhothdrnhgvtheqnecuggftrfgrthhtvghrnhepjeeuheeiveekkeekheevkedugfevff etjeevieekheduueelveeujeejvddvkefgnecuffhomhgrihhnpehfrghurdguvgdpvgig rghmphhlvgdrtghomhdpphhrohighidrtghomhdpmhhnohhtrdhnvghtnecukfhppeduud elrddujedrudehkedrvdehudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhep mhgrihhlfhhrohhmpehmnhhothesmhhnohhtrdhnvght
X-ME-Proxy: <xmx:e0EVX8jvKeLz3Ht5_p707M2VBwqiZZweOwS-mWQKxzO9eAQPOJrAUA> <xmx:e0EVX1kgCW0exiKFC3-8DSpzilI4KE4fVUQ1NSUe7jsIeGxWSdFjfg> <xmx:e0EVXwwo4uTXlKo8rMaZcui0zQPIRHDE3hYrVtIU8cDtZqE9cZKkig> <xmx:fEEVX-KoGVEwXeIOHxacUBx2GKnANq47kawqGM-S9bg3Okce9cFlyg>
Received: from marks-air.mnot.net (119-17-158-251.77119e.mel.static.aussiebb.net [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id 5ED4030600A3; Mon, 20 Jul 2020 03:02:18 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20200719165103.GK13675@faui48f.informatik.uni-erlangen.de>
Date: Mon, 20 Jul 2020 17:02:14 +1000
Cc: ietf-http-wg@w3.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <D02F5373-03F7-470A-A589-44037841A478@mnot.net>
References: <20200719165103.GK13675@faui48f.informatik.uni-erlangen.de>
To: Toerless Eckert <tte@cs.fau.de>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Received-SPF: pass client-ip=66.111.4.25; envelope-from=mnot@mnot.net; helo=out1-smtp.messagingengine.com
X-W3C-Hub-Spam-Status: No, score=-9.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jxPoo-0007ch-6A cf65395dd3e6eefc65463d722a9f7b37
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Q: Automatic, secure proxy selection
Archived-At: <https://www.w3.org/mid/D02F5373-03F7-470A-A589-44037841A478@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37887
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

This question is likely better asked on the DoH or another list, as it's not specific to HTTP.

Cheers,


> On 20 Jul 2020, at 2:51 am, Toerless Eckert <tte@cs.fau.de> wrote:
> 
> I hope a (simple?) user question is acceptable on this list, apologize if not.
> 
> What (if any) IETF/W3C standards exist to complete the following workflow:
> 
> - all for client/initiator (eg.: browser)
> - Assume some DoH method for DNS lookups
> - DNS lookup for www.example.com
> - get in reply something like: (?)
>    www.example.com trusts the following proxy.com
> - Build TLS connection to proxy.com (?)
> - Tunnel end-to-end https connection to www.example.com across (?)
>    that TLS connection to proxy.com
>    Aka: do not want proxy.com to be able to decrypt end-to-end payload.
> 
> Aka: I am am unclear if there are appropriate DNS RRs to support the
> following steps and if/how it is actually possible to have end-to-end
> encryption across such an also encrypted proxy connection. 
> 
> The use-case is obvious not to have network layer exposure on
> the path between client and proxy that the connection is with www.example.com
> and on path between proxy and www.example.com that connection is for client.
> 
> Thanks!
>    Toerless
> 
> 
> 

--
Mark Nottingham   https://www.mnot.net/