On Tue, 30 May 2000, Rick Murphy wrote:
> That works until you want SSL V2 (client authentication) - unless you trust
> your proxy to hold everyone's private key (VERY bad idea).
I'm not so sure that it's categorically a bad idea to have an official
company machine present official credentials for its users on a hardened
host that's built to be secure and well-managed versus putting the
credential on laptops that go everywhere and have little to no physical
security.
One of my long-term goals has been to try to build a reasonably hard
system (for my own value of reasonable) that uses MAC stuff to store,
present, validate and invalidate certificates, and where administrative
access doesn't mean access to the private certificates.
> I've seen several proposals to do what you describe but I've never seen it
> tried; I thought you would need to make changes to the browsers to permit
I've been waiting for the Mozilla stuff to stabalize before trying to get
into this in software, especially since RSA's patent is about to go and
doing the client-side thing will be much easier after that happens.
> You could have the user always connect to the proxy unencrypted, then allow
> the proxy to do SSL; that'd work until a user gets redirected to a SSL site
> to enter an order.
The added advantage that content checking still works makes this pretty
attractive for classes of networks.
> I'd love to have the time to try writing a real SSL proxy to verify whether
> my expectations are true or not..
It probably won't be that difficult to script up something with the SSL
version of Lynx after the patent issues are in the clear.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
