>>>>> "Rick" == Rick Murphy <[EMAIL PROTECTED]> writes:
Rick> That works until you want SSL V2 (client authentication) - unless you trust
Rick> your proxy to hold everyone's private key (VERY bad idea).
Why is it a bad idea? You'd rather users have it on their hard disks with a
null passphrase? Or have you deployed smart cards everywhere? Putting all
your eggs in one basket is fine, as long as you properly engineer the basket
;) Of course, you'd want to have the user authenticate to the proxy before
releasing her certs, but that's a trivial re-direct to an auth/cert
selection page, since you already have an SSL connection in progress.
Rick> I've seen several proposals to do what you describe but I've never seen it
Rick> tried; I thought you would need to make changes to the browsers to permit
Rick> them to accept the proxy's certificate in lieu of the site they expected
Rick> one from; a recent Netscape bug (once a cert is marked as ok for a site
I proposed this in 1995 or so (I think I was the first one to do so, but I
could be mistaken), but have never seen anyone code it. If you
install the proxy's cert in the browser as a trusted CA, the proxy just has
to generate a cert with the appropriate name fields and sign it. Since
signing is moderately expensive, you'd want to cache the certs. No other
real obstacles.
It's still on my to do list, but is behind 2 other projects. My roundtoit
supply has increased dramatically recently, however, so who knows.
--
Carson Gaspar -- [EMAIL PROTECTED]
Security Consultant at Large -- For Hire or Rent - E-mail to Enquire
Queen Trapped in a Butch Body
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
