On Jul 10, 2012, at 12:07 PM, Andreas Petersson wrote:
The first half of the statement is basically a refinement of the previous
sentence in the section ("The Forwarded HTTP header field, by design,
exposes information that some users consider privacy sensitive"), so I don't
see what is lost by eliminating it.
See my answer to SM. I think it better explains that the expectations
of the end user are important to consider, even if these expectations
are wrong.
Right, I'm not saying that user expectations are unimportant. I think
characterizing their role accurately should be the goal. If there is a desire
to leave this in, I would suggest something more along the lines of:
Proxies using this extension will preserve the information of a direct
connection. In some cases, the user's and/or deployer's knowledge or
expectation that this will occur can help to mitigate the associated privacy
impact.
I don't think that text will have much impact on how the header field
is used in practice though, or any technical impact, so removing it is
fine with me.
Even if that's the case having accurate documentation of the privacy
implications can't hurt.
Alissa
It would be interesting to hear what Stephen Farrell thinks about it,
since he wrote that text.
Cheers,
Andreas