Re: [proxies] [IETF Proxy] Next Steps

Stefan Winter <stefan.winter@restena.lu> Tue, 06 May 2008 06:53 UTC

Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A8AE3A6B7E; Mon, 5 May 2008 23:53:33 -0700 (PDT)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D64643A6F69 for <proxies@core3.amsl.com>; Mon, 5 May 2008 23:53:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.185
X-Spam-Level:
X-Spam-Status: No, score=-0.185 tagged_above=-999 required=5 tests=[BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Kxz3kdE1rFI for <proxies@core3.amsl.com>; Mon, 5 May 2008 23:52:59 -0700 (PDT)
Received: from smtp.restena.lu (legolas.restena.lu [158.64.1.34]) by core3.amsl.com (Postfix) with ESMTP id 369393A6F4C for <proxies@ietf.org>; Mon, 5 May 2008 23:52:22 -0700 (PDT)
Received: from smtp.restena.lu (localhost [127.0.0.1]) by smtp.restena.lu (Postfix) with ESMTP id C497A30276C0; Tue, 6 May 2008 08:52:20 +0200 (CEST)
Received: from [158.64.1.155] (aragorn.restena.lu [158.64.1.155]) by smtp.restena.lu (Postfix) with ESMTP id B4B5E3027248; Tue, 6 May 2008 08:52:20 +0200 (CEST)
Message-ID: <48200024.80801@restena.lu>
Date: Tue, 06 May 2008 08:52:20 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Thunderbird 2.0.0.12 (X11/20080226)
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
References: <7.0.1.0.2.20080416172531.02401228@nist.gov> <200804171550.48931.stefan.winter@restena.lu> <057433e024b8d47267adf9fd0379bd6b.squirrel@www.trepanning.net>
In-Reply-To: <057433e024b8d47267adf9fd0379bd6b.squirrel@www.trepanning.net>
X-Enigmail-Version: 0.95.6
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: proxies@ietf.org
Subject: Re: [proxies] [IETF Proxy] Next Steps
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi dan, all,

|   It has been pointed out to me that I may be misunderstanding Stefan's
| intent by latching on the word "political" and running with it.

Well, I wondered myself if my choice of word was good. In fact, I was
not refering to political as in: laws, jurisdiction, courts, prime
ministers, presidents... but as in non-technical, managerial,
financial-driven, contractual-driven etc.

|   I do not mean to attack any valid uses of proxies that may fall under
| the "political" rubric but I do believe there are threats that should
| be enumerated for proxies that can do things like compile databases of
| information gleaned from AAA traffic that goes through them, or locate
| and track people. And the mention of "political" requirements brought
| that up (in my mind at least).

To elaborate on what my notion "political" in our scenario concretely
means, here an example: the eduroam community is primarily intended for
higher education and research, which excludes secondary school pupils.
Some countries however deploy eduroam in such schools, and hand out
accounts which work internationally for their teachers, but only
nationally valid accounts for the pupils in order not violate
international peering agreements but still give service to the pupils.

That is perfectly fine with eduroam international, as long as these
countries can make sure these local accounts stay local. The means to
enforce this is in practice by using a national proxy which knows which
realms belong to pupil database backends and which not. That is IIRC the
main reason for the one country that insists on having everything go
through its national proxy.

We recently have overcome this by loosening the peering agreement so
that everyone considered a valid user in one country is also valid for
roaming in all others, but this now re-opens the age verification
problem at a larger scale :-/

Greetings,

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFIIAAk+jm90f8eFWYRAnnsAJ9vgAZuIpn6vYTu4eLA3knYO1k99QCfXalr
8C4L0nBs0Y8KLhu+8/KyBVQ=
=ZSbB
-----END PGP SIGNATURE-----
_______________________________________________
Proxies mailing list
Proxies@ietf.org
https://www.ietf.org/mailman/listinfo/proxies