On Mon, 14 May 2012 10:37:10 +0100
Stephen Farrell <
stephen.farrell@...> wrote:
>
> On 05/13/2012 06:07 PM, SM wrote:
> > As a starting point, here's some suggested text for Section 8.2:
> >
> > In recent years, there has been growing concerns about privacy. There
> > is a
> > tradeoff between ensuring privacy for users versus disclosing information
> > which is useful for debugging. The Forwarded HTTP header field, by
> > design,
> > exposes information which affects the privacy of users. This header
> > field
> > should not be used if the proxy is being operated as a privacy service.
>
> - Is "privacy service" well-defined? (Or well enough defined?)
Maybe we can write something like "if the proxy is intended to
anonymize the user" ?
>
> - In general, is a user supposed to know that headers like this
> are being added? If so, how? If not, doesn't that have privacy
> implications as well?
There are lots, and lots of different proxy types and the users needs
special education for each of them. However, this can not be done in
this document.
>
> - Section 5.4 is also odd: when would we want a proxy to make it
> look to the UA that stuff the proxy got unprotected was protected?
It is not uncommon that you have a reverse proxy that do SSL-offload.
This should be of no concern for the user.
>
> - I also wondered how widely the X-Forwarded stuff is deployed and
> generally whether its really a good or bad idea to standardise
> this. I can't tell from (the quick read I had of) the document.
It has a really wide spread usage in the world of proxying.
Best regards,
Andreas
_______________________________________________
apps-discuss mailing list
apps-discuss@...
https://www.ietf.org/mailman/listinfo/apps-discuss
