On Jul 10, 2012, at 12:07 PM, Andreas Petersson wrote:
>> The first half of the statement is basically a refinement of the previous
>> sentence in the section ("The Forwarded HTTP header field, by design,
>> exposes information that some users consider privacy sensitive"), so I don't
>> see what is lost by eliminating it.
>
> See my answer to SM. I think it better explains that the expectations
> of the end user are important to consider, even if these expectations
> are wrong.
Right, I'm not saying that user expectations are unimportant. I think
characterizing their role accurately should be the goal. If there is a desire
to leave this in, I would suggest something more along the lines of:
Proxies using this extension will preserve the information of a direct
connection. In some cases, the user's and/or deployer's knowledge or
expectation that this will occur can help to mitigate the associated privacy
impact.
>
> I don't think that text will have much impact on how the header field
> is used in practice though, or any technical impact, so removing it is
> fine with me.
Even if that's the case having accurate documentation of the privacy
implications can't hurt.
Alissa
>
> It would be interesting to hear what Stephen Farrell thinks about it,
> since he wrote that text.
>
>
> Cheers,
> Andreas
