- From: <hallam@w3.org>
- Date: Fri, 23 Feb 96 14:50:02 -0500
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
- Cc: hallam@w3.org
>1) Using dns-name as a proxy identifier isn't sufficient. You could >have multiple proxies on a single host, so the identifier should be a >combination of host:port. Yep, I'll add this in. >2) For Proxy-Instruction, it says proxies may strip out headers which >apply to them when passing the message on. What happens when there's a >chain or heirarchy of proxies? This is in general a very tricky problem. I thought I would make a first suggestion to check that people wanted this sort of thing. >3) For logging exchange, there isn't much said about access control >(other than the mention of IP spoofing) so I'm assuming you'd like it >to be IP based. I was wanting to keep it entirely separated. I can imagine using various authentication mechanisms based on HTTP. The main problem is that this implies a degree of trust between the principles. This is difficult if the parties are (say) the Hensa cache and CNN. I did wonder about a very lightweight cryptographic system, based on Diffie Helleman or the like. It would be very easy to produce a system which did not require certificates and would protect against passive listner attacks but not convoluted IP spoofing attacks. >There are cases where log sharing can be beneficial, >and it might be better to seperate this functionality from hit >notification. Say a corporation with 1000 servers and proxies wants to >collect logs nightly, or perhaps they only want to know how many times >each servers home page was read (as a rough measure of internal load). >One could write a CGI script that returns any size portion of the log >file. I was expecting the servers to exchange log files rather than hit counts. This is because I expect the analysers to be looking at the referer field in particular. This is an indicator of hot leads. The log file spec I submitted describes a format which could be used to either record every transaction or simply counts. The server should only recieve log file data which related to his own site. Proxies should not go arroung handing out all their logs to anyone who asks! >Externally, I might allow all servers to request how many hits pertain >to their site (possibly with logs) but internally I might be willing >to pass any and all logging info to trusted hosts. The logging >exchange described in the draft seems a subset of this. I was attempting to avoid a complex negotiation here. From the point of view of the server the proxy is depriving it of demographic data which is a fair exchange for the data. I can see two levels of logging which are usefull, full logs for the proxied transactions and summary (hit count) data. I don't see complex negotiation over which exact fields are logged to be usefull. I would also expect sites with privacy concerns to look to disguise their logs in some fashion to blind sensitive data such as IP addresses, usernames etc. The session ID proposal is a step towards that. Phill
Received on Friday, 23 February 1996 11:53:11 UTC