On Thu, 2007-03-22 at 16:26 +0100, Kinkie wrote: > In this regard I see the ICAP server not to be any different from a > proxy server, of which it is simply an extension.
Whether the trust boundary includes both the proxy and the ICAP server depends on the setup. Being an "extension" is not always the same as being a "trusted extension". And there may be several trust categories involved. > I just fail to see any > added security in not sending all the information that the proxy server > has to the ICAP server. As I have tried to clarify, the problem we are discussing on this thread (and the problem that the now-committed patch works on) is _not_ about sending information to the ICAP server, but about treating requests generated by the ICAP server as if they were authenticated by the client. $0.02, Alex. P.S. Still, "sending all the information that the proxy server has to the ICAP server" is similar to sending all that information to another proxy server: Sometimes it is appropriate, sometimes it is not. The patch, however, does not affect what information is sent to the ICAP server.