At 06:42 PM 5/30/00 -0400, [EMAIL PROTECTED] wrote:
> >>>>> "Rick" == Rick Murphy <[EMAIL PROTECTED]> writes:
>
>Rick> That works until you want SSL V2 (client authentication) - unless
>you trust
>Rick> your proxy to hold everyone's private key (VERY bad idea).
>
>Why is it a bad idea? You'd rather users have it on their hard disks with a
>null passphrase? Or have you deployed smart cards everywhere? Putting all
>your eggs in one basket is fine, as long as you properly engineer the basket
>;) Of course, you'd want to have the user authenticate to the proxy before
>releasing her certs, but that's a trivial re-direct to an auth/cert
>selection page, since you already have an SSL connection in progress.
If you're competent to engineer (and maintain) the 'basket' (as you are),
it's an acceptable risk. For the typical firewall user (who doesn't even
bother to strip down the OS), it's an opening wide enough to drive a truck
through.
-Rick
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
