On Sun, Dec 1, 2013 at 9:49 AM, Yoav Nir <[email protected]> wrote: > Well, [2] is just an idea I had two weeks ago, which Tom Ritter shot down > and easily convinced me. The "strict" directive has come up in discussion at > httpbis as well. There's all kinds of talk about adding a "trusted proxy" (a > proxy that can see the plaintext).
How to help end-users deal with "trusted proxies" and how to differentiate, if at all, benign MitMs from malicious ones, are issues for which there is no widespread consensus amongst UA vendors. When Firefox first started out, the fact that Firefox didn't use the system's enterprise, sysadmin-enforced networking and trust settings was considered a major feature by many Firefox users, and many Firefox users still see it that way. I understand the idea that the owner of the computer and/or the network (i.e. often the end-user's employer) has some rights regarding how their property is used. However, many people at Mozilla, myself included, think that ultimately the rights of the end-user trump the rights of the property owner, though we acknowledge that an adversarial property owner is often a very difficult attacker for the end-user to thwart. How we ensure that both the rights of the property owner and the rights of the end user (when different) are met is still very much an open issue. At least until there is a strong consensus regarding trusted proxies, I don't think specifications like HPKP should add features to differentiate benign MitM from malicious ones. In the case of HPKP, the important thing is that the specification gives UAs enough flexibility to decide how to deal with this on their own. Ultimately, if the spec includes "strict," UAs are only going to implement whatever mandated behavior is specified for "strict" if it makes sense for their constituents, regardless of MUST or SHOULD. IMO, that is a very good indication that, if "strict" survives at all, then it should not have any MUST-level requirements for its processing. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
