Re: protocol support for intercepting proxies from Adrien de Croy on 2007-06-19 (ietf-http-wg@w3.org from April to June 2007)

From: Adrien de Croy <adrien@qbik.com>
Date: Tue, 19 Jun 2007 21:58:15 +1200
To: Adrian Chadd <adrian@creative.net.au>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4677A8B7.6090302@qbik.com>

Yeah, this all points to some sort of generic config protocol.

I think there was a config protocol that Eudora used a while back - it 
didn't catch on.  You'd need something more like SNMP, where 
configuration points are registered under a global UID schema, or LDAP.  
Anything that can have a schema and data.

DHCP is just so restricted it's hard to see why so much effort is still 
being poured into it.  There are now more options than you can 
realistically fit into a 576 byte single UDP packet.  All to do config.  
A separate config protocol or framework would be much easier to grow.  
Use DHCP to discover the config server and go from there.  That's 
basically what AD does, uses DHCP to find the DNS server to do SRV 
lookups on to find the LDAP server.

As long as there is decent client-side API support so that UA developers 
can hook into it then the solution to auto-config issues is doable.

However, to quote Donald Rumsfeld, there are still the things we don't 
know that we don't know.  I'm still open to the possibility that 
considering intercepting proxies could have some benefits, even if one 
of those benefits doesn't turn out to be auto-config.  That requires 
contemplation of the issue.

Adrien

Adrian Chadd wrote:
> On Tue, Jun 19, 2007, Adrien de Croy wrote:
>   
>> Actually that proves my point.
>>
>> this is an example of security problems inherent in low-level protocols 
>> being solved using high level protocols, e.g. SSL certificates, key 
>> exchange protocols etc.  All of which require the IP config to be 
>> working, which therefore already required DHCP to be working without 
>> auth.  So, it pretty much makes DHCP auth pointless.
>>     
>
> .. and you can push out centralised HTTP proxy server settings via
> the same mechanisms. Admittedly its only one platform and I'm not sure
> when the AD/Group Policy support popped up, but its certainly doable.
>
> Me, I'd prefer to see the proxy discovery draft properly worked into
> an RFC as there are -plenty- of instances of WPAD being used in the
> real world these days. It'd also be nice to have it extensible to proxy
> other protocols, such as P2P client proxy discovery (when P2P caches
> become all the rage, that is..)
>
>
>
>
> Adrian
>
>
>

Received on Tuesday, 19 June 2007 09:58:16 UTC