Avoid bare 'for the sake of security'#974
Merged
royfielding merged 1 commit intohttpwg:masterfrom Sep 10, 2021
Merged
Conversation
The mere act of inserting a proxy into the chain does not, in and of itself, do much of anything for the security of the system (and a badly implemented proxy can make the security of the system much worse). A proxy can, however, provide security services such as auditing access, annotating content from untrustworthy sources, exfiltration avoidance, etc. It is these services that are the security-related motivation for using a proxy, so say that "security services", rather than just "security", are being provided by the proxy.
royfielding
approved these changes
Sep 10, 2021
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Inspired by some discussion on #914 : while just the word "security"
is indeed used in marketing literature for proxies, it's meaning to different
parties is so varied so as to not really convey much useful information. In the
IETF we try hard to be clear about what security provides we need and/or provide,
avoiding the vague catch-all term. However (as I am reminded out of band), the
audience of this document is not exactly security experts, and it is easy to go
overboard trying to be precise, at least in this instance.
[actual commit message body retained below]
The mere act of inserting a proxy into the chain does not, in and of
itself, do much of anything for the security of the system (and a badly
implemented proxy can make the security of the system much worse).
A proxy can, however, provide security services such as auditing
access, annotating content from untrustworthy sources, exfiltration
avoidance, etc. It is these services that are the security-related
motivation for using a proxy, so say that "security services", rather
than just "security", are being provided by the proxy.