Re: Continuing to draft mux WG charter

From: spreitze@parc.xerox.com
Date: Fri, Feb 12 1999


From: spreitze@parc.xerox.com
Date: Fri, 12 Feb 1999 08:43:34 PST
To: Chris Newman <chris@innosoft.com>
Cc: Mike Spreitzer <spreitze@parc.xerox.com>, ietf-http-ng@w3.org, discuss@apps.ietf.org
Message-Id: <99Feb12.084349pst."834439"@idea.parc.xerox.com>
Subject: Re: Continuing to draft mux WG charter


You wrote: [[
There are subtle issues which need to be dealt with:

* If user authentication is done below the MEMUX layer, how will
  higher-level protocols "know" that?
* If user authentication is done above the MEMUX layer, what
  damage can passive or active attacks at the MEMUX layer cause?
* What impact will MEMUX have on firewalls when used to multiplex
  multiple services on the same port?
]]

As for the first: how do higher layers ever "know" about authentication done in lower layers?  This is an issue of software in the peers, not the protocol, right?  What goes on the wire makes it clear (assuming the protocols above and below MEMUX were prepared to be separated at all --- which they would of course be if they're separate protocols); the issue is that an API for using MEMUX must enable authentication to pass through the MEMUX software layer appropriately.  As this WG is not about designing the API, I figure that issue is out of scope.

I think the other two issues are clearly in scope.