- From: <spreitze@parc.xerox.com>
- Date: Fri, 12 Feb 1999 08:43:34 PST
- To: Chris Newman <chris@innosoft.com>
- Cc: Mike Spreitzer <spreitze@parc.xerox.com>, ietf-http-ng@w3.org, discuss@apps.ietf.org
You wrote: [[ There are subtle issues which need to be dealt with: * If user authentication is done below the MEMUX layer, how will higher-level protocols "know" that? * If user authentication is done above the MEMUX layer, what damage can passive or active attacks at the MEMUX layer cause? * What impact will MEMUX have on firewalls when used to multiplex multiple services on the same port? ]] As for the first: how do higher layers ever "know" about authentication done in lower layers? This is an issue of software in the peers, not the protocol, right? What goes on the wire makes it clear (assuming the protocols above and below MEMUX were prepared to be separated at all --- which they would of course be if they're separate protocols); the issue is that an API for using MEMUX must enable authentication to pass through the MEMUX software layer appropriately. As this WG is not about designing the API, I figure that issue is out of scope. I think the other two issues are clearly in scope.
Received on Friday, 12 February 1999 11:44:06 UTC