salvatoreloreto / ietfdrafts Goto Github PK
View Code? Open in Web Editor NEWIETF draft I am authoring or co-authoring
IETF draft I am authoring or co-authoring
An "Explicitly Authenticated",
to
An "Explicitly Authenticated Proxy",
What is the EAP's expected behaviour for non-TLS protected http URIs? We should at least mention this, and consider the security implications carefully. For example (option 1):
Section 4.4 Explicitly Authenticated Proxy for non-secured http requests
In this case the Proxy will create a secure connection to the client, but will not negotiate > a secure connection to the origin server. plus diagram
But this behaviour may lead the user to believe that they are in fact securely connected to the origin server, for example if a padlock is shown based on the secure connection to the proxy.
So option 2:
Section 4.4 Explicitly Authenticated Proxy for non-secured http requests
Where the 'http' request is not secured by the origin server, the Proxy will drop the
secure connection to the client and revert to its regular behaviour for non-secured 'http' requests
But what would be the impact of the secure connection dropping?
I think most of this can be explained in the introduction, and that we simply define the scope here
start
Abstract
This document specifies the behaviour of an Explicitly Authenticated proxy as an intermediary of TLS-protected 'http' traffic over HTTP/2.
end
This is all good text but often repeats what is being discussed in the three referenced RFCs, which are well summarised
Remove the three explanatory paragraphs above
'Several drafts analysing[...]'
- Introduction
Several drafts analysing the role and the requirements for proxies have
been submitted:
Use cases in form of stories for proxies are also listed in the wiki
Proxy-User-Stories [1] and analysed in a matrix form in Trusted Proxy
Use Case Analysis and Alternatives [2].
This draft explicitly narrows down the general discussion to the role
of an Explicitly Authenticated Proxy (link to definition in Terminology here)
as an intermediary of TLS-protected "http" scheme URIs of HTTP2 traffic.
This document describes a method for an user agent to automatically
discover and then for an user to accept or reject (i.e. to provide
consent for) an Explicitly Authenticated Proxy to be securely
involved when a request to an "http" URI resource is made.
Section 3 defines processes to signal that an "http" URI
is being requested over HTTP2.
Section 4 describes the role of the Explicitly Authenticated Proxy
when "http" URIs resources have been requested, and the expected
behaviour for "https" scheme URI requests.
Section 5 defines how an Explicitly Authenticated Proxy signals its
presence to an origin server
Section 6 deals with the security implications of introducing an
Explicitly Authenticated Proxy
Section 7 deals with how the user manages their consent for the
Explicitly Authenticated Proxy to operate.
Add new section on goals/non-goals. i.e. why we are doing this, and what we are not doing
start
The primary goal is to define an intermediary to TLS-protected 'http' traffic, that operates with the knowledge
and explicit consent of the user
Non-goals are to define an intermediary for unprotected 'http' traffic over both HTTP/1.1 and HTTP/2, and for 'https' URIs. However the intermediary's expected behaviour for these cases is listed for completeness.
end
Consent is a hugely important aspect of the EAP, and should have its own section to cover how it can be done. This can also re-use the material from the existing section 3.3, 'opt out' (pasted below under 7.3)
Section 7 User consent
7.1 Explaining the proxy functions to the user
7.2 Obtaining and storing user consent
7.3 Expected behaviour if the user opts out/revokes consent
If the user does not give consent, or decides to opt out from the
proxy for a specific connection, the user agent will negotiate HTTP2
connection using "h2" value in the ALPN extension field. The proxy
will then treat the connection as an "https" connection and will
forward the ClientHello message to the Server, establishing an end-
to-end TLS connection between the user agent and the destination
server.
The IANA name for the URI schemes does not include '://'
All instances of 'http://' to 'http'
All instances of 'https://' to 'https'
Best to make the scope of the EAP clear in the Introduction
for the last line of this section, needs to be explicit that this is TLS-protected http URIs:
start
This draft explicitly narrows down the general discussion to the role of Proxy as an intermediary of TLS-protected 'http' URIs over HTTP/2
end
As per issue 8 , the shorter introduction leaves the formal definition of the EAP to theTerminology section. The formal reference to 'proxies' should be used in the 'Explicit proxy' definition as that comes first
- Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
This document defines the following terms:
Explicit proxy: an intercepting proxy (see section 2.3 [I-D.ietf-httpbis-p1-messaging]) that
communicates its presence to the user agent and destination server.
Explicitly Authenticated Proxy: an HTTP Proxy that is certificate authenticated, user acknowledged > and connected to over a TLS encrypted (and possibly integrity protected) connection. An Explicitly Authenticated Proxy is configured by the user agent to
exclusively receive "http" URI scheme requests and attempt to satisfy
those requests on behalf of the user agent. The presence of a configured Explicitly Authenticated Proxy MUST NOT change the user agent behaviour for the "https" URI scheme requests.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.