Re: [proxies] [IETF Proxy] Next Steps

Bernard Aboba <> Fri, 02 May 2008 22:25 UTC

Return-Path: <>
Received: from (localhost []) by (Postfix) with ESMTP id A43063A68BB; Fri, 2 May 2008 15:25:28 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id B044C3A6A65 for <>; Fri, 2 May 2008 15:25:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.82
X-Spam-Status: No, score=-1.82 tagged_above=-999 required=5 tests=[AWL=0.778, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ebYUBS5cTf4c for <>; Fri, 2 May 2008 15:25:26 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 64CE23A6C71 for <>; Fri, 2 May 2008 15:23:55 -0700 (PDT)
Received: from BLU137-W50 ([]) by with Microsoft SMTPSVC(6.0.3790.3959); Fri, 2 May 2008 15:23:57 -0700
Message-ID: <BLU137-W506321B2B181EA8A61C6F593DA0@phx.gbl>
X-Originating-IP: []
From: Bernard Aboba <>
To: Katrin Hoeper <>, Stefan Winter <>, <>
Date: Fri, 2 May 2008 15:23:57 -0700
Importance: Normal
In-Reply-To: <>
References: <> <> <>
MIME-Version: 1.0
X-OriginalArrivalTime: 02 May 2008 22:23:57.0293 (UTC) FILETIME=[366EB1D0:01C8ACA3]
Subject: Re: [proxies] [IETF Proxy] Next Steps
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: multipart/mixed; boundary="===============0058350158=="

Stefan said:
It turned out that in addition to the pure authentication information that is user-supplied, it is in some cases necessary for home and service provider server to speak to each other *about* the user. The most prominent example here is: in Australia, unfiltered Internet access is only allowed for adults. So if a foreign eduroam user authenticates within Australia, the visited domain needs to get information about the age of the user. Without proxies, this would not be a problem: define a Vendor-Specific attribute and communicate the value. With proxies, things are worse: the traffic will be sent through intermediate proxy servers, which can then correlate the information of the age to the user identity, and thus create personally identifiable data sets. These are heavily regulated in the EU, introducing a legal problem (I'll save you from the details).
[BA] Wouldn't EU regulations have a problem with the local ISP obtaining the age of the user, irrespective of proxies?  Also, why can't the problem (with or without proxies) be solved using the CUI, described in RFC 4372?To me, the above model seems to have two role models of proxies:- the "technical" proxy - to aggregate or channelize traffic for managability reasons- the "political" proxy - due to the requirement or wish to inspect, control or modify traffic while in flightThe first kind might go away with dynamic discovery between service provider and home server; the second might most certainly not. So my answer to the proxy problem in general is: we will have to live with them.
[BA] I think these issues are described in RFC 2607, no? 
Proxies mailing list