* Vidya Narayanan wrote:
>All,
>http://tools.ietf.org/id/draft-vidya-httpbis-explicit-proxy-ps-00.txt is a
>problem statement on the need for explicit proxying in HTTP.
I have a suggestion. From the document:
The use of proxies leads to a number of privacy issues. To
summarize:
...
o The server has no knowledge of the presence of the proxy and
hence, cannot refuse to serve sensitive content over a proxied
connection.
o The weakened security model, when certificate pinning is disabled
at a general level, allows inspection of content ...
...
With privacy becoming more and more important, it is important for us
to support solutions that allow awareness of a privacy breach to both
users and the servers, when that happens. To this effect, it is
important that proxies be explicitly supported and detected.
...
o Content providers may not wish to serve certain content in
anything less than an end-to-end secure fashion.
How about including in the Goals section that users must be able to
verify the behavior of untrusted user agents without interference on
part of the server, which requires the user being able to inspect any
content without the server knowing, possibly by use of a proxy?
I also note that allowing servers to be aware when my "privacy" has
been "breached" in all likelyhood makes that breach worse, not better.
--
Björn Höhrmann · mailto:[email protected] · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
