On Tue, 10 Jul 2012 12:32:08 -0400 Alissa Cooper <[email protected]> wrote:
> On Jul 10, 2012, at 12:07 PM, Andreas Petersson wrote:
> >> The first half of the statement is basically a refinement of the previous
> >> sentence in the section ("The Forwarded HTTP header field, by design,
> >> exposes information that some users consider privacy sensitive"), so I
> >> don't see what is lost by eliminating it.
> >
> > See my answer to SM. I think it better explains that the expectations
> > of the end user are important to consider, even if these expectations
> > are wrong.
>
> Right, I'm not saying that user expectations are unimportant. I think
> characterizing their role accurately should be the goal. If there is a desire
> to leave this in, I would suggest something more along the lines of:
>
> Proxies using this extension will preserve the information of a direct
> connection. In some cases, the user's and/or deployer's knowledge or
> expectation that this will occur can help to mitigate the associated privacy
> impact.
Off-list discussion with Alissa resulted in this suggestion:
"Proxies using this extension will preserve the information of a direct
connection. This has an end-user privacy impact regardless of whether
the end-user or deployer knows or expects that this is the case."
Cheers,
Andreas
signature.asc
Description: PGP signature
