On Fri, Sep 29, 2017 at 2:28 AM, Leif Johansson <[email protected]> wrote:
> On 2017-09-28 23:02, Viktor Dukhovni wrote: > > > >> On Sep 28, 2017, at 4:42 PM, Brotman, Alexander < > [email protected]> wrote: > >> > >> Please let us know if you have any comments or questions, and thank you > for your time. > > > I would expected it to be easier to serve 302 redirects than deploy > > a reverse proxy, but perhaps I am mistaken, and HTTPs servers come with > > reverse-proxy support as a common built-in feature? > > Speaking as an individual I'd say that modern general purpose webservers > do both equally well and just as easily. There may still be deployment > issues making one or the other preferable in any one situation though... > Ringing in quite a bit later now, with my apologies for engaging so late... I wanted to provide one possible use case where HTTP redirects would be much more helpful than requiring the use of reverse proxies. Consider the case of a service like login.gov - https://login.gov and https://www.login.gov collectively serve a static brochure website for the product. https://secure.login.gov is the actual dynamic application that people log in to. Emails sent by the system use @login.gov for the hostname. Deployment/review processes for the brochure site and the dynamic application are handled differently, and may be handled by different people. In this situation, deploying a MTA-STS policy to https://login.gov/.well-known/mta-sts.txt feels a bit risky, because the content served at that URL is now very security-relevant to the mail being sent by the application at secure.login.gov. It would feel less risky if the URL could redirect to https://secure.login.gov/.well-known/mta-sts.txt, so that its content (and any updates to that URL) are reviewed by the same people and with the same rigor that the dynamic application uses. This also makes it more plausible to generate the contents of mta-sts.txt dynamically, so that information is at less risk of going out of sync. I don't want to say it's a dealbreaker or impossible to deploy MTA-STS in this situation without redirects. But, allowing redirects would drop the level of operational risk of managing the content in a static site, or would drop the level of effort to change the architecture to support reverse proxying, by a lot, and make it easier to justify the effort. -- Eric > > > Cheers Leif > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta > -- konklone.com | @konklone <https://twitter.com/konklone>
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
