- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Wed, 29 Feb 2012 23:44:30 +0100
- To: Adrien de Croy <adrien@qbik.com>
- Cc: ietf-http-wg@w3.org
tor 2012-03-01 klockan 09:09 +1300 skrev Adrien de Croy: > There is one other thing I would add to auth: > > Ability for a challenger to identify itself, and for a response to > target a challenger. proxy-auth is currently defined hop-by-hop avoiding this mess. But unfortunately real-life networks is not always that simple. but security implications of multi-level proxy challenges is tricky to say the least. There is no guarantee the next request travels the same path. I would not dare to venture into specifying what such muti-level challenge/response process with varying path would look like or work or the security aspects of any such design. > Adding a parameter to the challenge and response which identifies the > challenger would allow for this. Yes, but opens up a big can of worms as expressed above. > In fact it would then allow proxy and server auth to use the same > mechanism and headers. Which is one very visible aspect of that big can of worms. You need a damn good framework defining what may be sent where, and the possibilities of both security leakage and breakage explodes. Regards Henrik
Received on Wednesday, 29 February 2012 22:45:01 UTC