Hi, I may be missing something here, but your wording seems to suggest that the user may not trust the server? If so, that is definitely not the targeted case under discussion. The assumption here is that the client (and hence the user) and the server trust each other, but they don't necessarily trust all middleboxes.
If I have not understood you correctly, please let me know. Regards, Vidya On Tue, Oct 29, 2013 at 6:51 AM, Bjoern Hoehrmann <[email protected]> wrote: > * Vidya Narayanan wrote: > >All, > >http://tools.ietf.org/id/draft-vidya-httpbis-explicit-proxy-ps-00.txt is > a > >problem statement on the need for explicit proxying in HTTP. > > I have a suggestion. From the document: > > The use of proxies leads to a number of privacy issues. To > summarize: > > ... > > o The server has no knowledge of the presence of the proxy and > hence, cannot refuse to serve sensitive content over a proxied > connection. > > o The weakened security model, when certificate pinning is disabled > at a general level, allows inspection of content ... > > ... > > With privacy becoming more and more important, it is important for us > to support solutions that allow awareness of a privacy breach to both > users and the servers, when that happens. To this effect, it is > important that proxies be explicitly supported and detected. > > ... > > o Content providers may not wish to serve certain content in > anything less than an end-to-end secure fashion. > > How about including in the Goals section that users must be able to > verify the behavior of untrusted user agents without interference on > part of the server, which requires the user being able to inspect any > content without the server knowing, possibly by use of a proxy? > > I also note that allowing servers to be aware when my "privacy" has > been "breached" in all likelyhood makes that breach worse, not better. > -- > Björn Höhrmann · mailto:[email protected] · http://bjoern.hoehrmann.de > Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de > 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ >
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
