Re: Trust and provacy problems with draft-loreto-httpbis-explicitly-auth-proxy
Yoav Nir <ynir.ietf@gmail.com> Mon, 05 May 2014 15:40 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 056841A03C5 for <ietf@ietfa.amsl.com>; Mon, 5 May 2014 08:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g-aUFEQJ3C5H for <ietf@ietfa.amsl.com>; Mon, 5 May 2014 08:40:11 -0700 (PDT)
Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 9DC861A03B9 for <ietf@ietf.org>; Mon, 5 May 2014 08:40:11 -0700 (PDT)
Received: by mail-wg0-f47.google.com with SMTP id x12so5935813wgg.30 for <ietf@ietf.org>; Mon, 05 May 2014 08:40:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=ftg88lVXnbjAJaWrqX6k3Gsf7O5a6mqjEBQLRYOp7fI=; b=JhcPfO9b0Ifgs9u7WSF/qE4iB+Z3tybQ/pVlC+EeVBcG6BV12vflEw91TM33OwtkLg D6FGwYVI5gpdssdZpqDXLpPlVSVaGa6YK/7+/86Ng176o6BTeqDnOXWBfmCsZSgnSmnP J26B23XOqopfBgziWPHqGEEGQCXFLWK/kTCSXWmV51KiW3tkFOmAarMaO9KcbCaND+XX 4HTmhZ0Jr6UXHZzLxyYurCgZ4W5XpF5KLxJg/0uWp3WPRGpGDaGMsykYXV+VzRpOrCVs 0gZ7YnPdeuhTZpuIjAwUGvDe0VeyaYhVplAqLe3VZKqCksBWYOqYi8bKFx5JiE+nhZ4E IEpQ==
X-Received: by 10.180.73.140 with SMTP id l12mr16673846wiv.3.1399304407660; Mon, 05 May 2014 08:40:07 -0700 (PDT)
Received: from [192.168.1.102] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id d6sm18517899wiz.4.2014.05.05.08.40.06 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 05 May 2014 08:40:07 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_EB1A0972-4AF6-4BCC-A222-DF57E77F92BA"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: Re: Trust and provacy problems with draft-loreto-httpbis-explicitly-auth-proxy
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <536775D2.4090708@raphaeldurand.fr>
Date: Mon, 05 May 2014 18:40:05 +0300
Message-Id: <B9FD8D40-49E2-48E0-BEAF-B3863C1FCAA2@gmail.com>
References: <536775D2.4090708@raphaeldurand.fr>
To: Raphaël Durand <mail@raphaeldurand.fr>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/FJ3_PvtUaWsKRKadT0y0GyWFMFA
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 15:40:13 -0000
On May 5, 2014, at 2:28 PM, Raphaël Durand <mail@raphaeldurand.fr> wrote: > I've just read the draft draft-loreto-httpbis-explicitly-auth-proxy, and I see a lot of trust and privacy problem in this "Explicit auth proxy". > https://datatracker.ietf.org/doc/draft-loreto-httpbis-explicitly-auth-proxy/?include_text=1 > > The first problem is in the "opt-out" section (3.3). > First, it has to be "opt-in" not "opt-out" (it's called an "explicit auth proxy isn't it ?") > Second, in order to be efficent, a proxy have to be a bottleneck, so user can't get around it. Hi I haven’t read the entire draft yet, but proxies don’t have to be the bottleneck. They are often deployed in conjunction with firewalls, and it is the firewalls that block connections trying to get around the proxy. IOW the proxy and firewall don’t have to be co-located. Yoav
- Trust and provacy problems with draft-loreto-http… Raphaël Durand
- Re: Trust and provacy problems with draft-loreto-… Yoav Nir
- Re: Trust and provacy problems with draft-loreto-… S Moonesamy
- Re: Trust and provacy problems with draft-loreto-… Salvatore Loreto
- Re: Trust and provacy problems with draft-loreto-… Paul Wouters
- Re: Trust and provacy problems with draft-loreto-… Raphaël Durand