Re: ID: Proxy autoconfig from Josh on 1997-04-08 (ietf-http-wg@w3.org from April to June 1997)

From: Josh <josh@early.com>
Date: Tue, 8 Apr 1997 18:22:53 -0400 (EDT)
To: Jim Gettys <jg@pa.dec.com>
Cc: yarong@microsoft.com, skwan@microsoft.com, http-wg@cuckoo.hpl.hp.com, josh@netscape.com
Message-Id: <199704082222.SAA14334@orac.early.com>

Yes  your point is valid..
Actually, I had suggested using their intermim DNS
solution in the meantime, until they get that and other issues
worked out.

The DNS solution isnt vulnderable to the issues they point out.
(IMHO , if im wrong, slap me )

According to Jim Gettys,
> 
> I talked to Jeff Schiller (IETF area director for security)
> about the serverloc security problems....
> 
> The problem is that anyone, anywhere, can advertize the service, and 
> potentially arrange to get a client to use a service (in this case,
> a proxy) of the attacker's choosing.
> 
> The security compromise for serverloc to go to proposed standard is to
> allow one, via public key crypto, verify the new advertisements.
> 
> The problem from our point of view is that the solution to serverloc's 
> security problem reduces to the previously unsolved problem: having to 
> distribute different keys to different browsers, which isn't better than 
> what we have now, having to distribute the first proxy configuration 
> information to the browser. A solution to this might be to use DHCP to 
> distribute the keys required, but is not yet specified.
> 
> Now, DHCP has its own set of security problems, but I note that people
> are already trusting it in the first place to get their IP addresses (for the
> mass market).
> 
> So without being expert at either protocol, it sure sounded like in
> the short term a DHCP based solution might be best, though in the longer
> term, something that is more dynamic than just information acquired
> at boot time would be a better solution (so that when a browser
> gets restarted, you can pick up the current proxy, or fail-over if a failure
> is detected while talking to a proxy.  And in the long term, this may
> not be either/or.
> 
> Hope this helps discussions....
> 				- Jim


-- 
-----------------------------------------------------------------------------
Josh R Cohen /Server Engineer 				       josh@early.com
Netscape Communications Corp. 				       josh@geeks.org
(This message is sent from my private email account to reach me for 
	business related issues, mailto:josh@netscape.com )
-----------------------------------------------------------------------------

Received on Tuesday, 8 April 1997 15:28:15 UTC