Nicolas.Williams at sun.com
Tue Mar 7 22:04:44 PST 2006
On Wed, Mar 08, 2006 at 12:44:27AM -0500, Jeffrey Altman wrote:
> Mike Shaver wrote:
> > On 7-Mar-06, at 9:05 PM, Sam Hartman wrote:
> >> You seem to be forgetting that HTTP has these things called proxies.
> >> HTTP auth is end-to-end but TLS is hop-by-hop.
> > Most HTTP proxies support CONNECT specifically to permit TLS to operate
> > end-to-end, do they not? (They can independently support TLS transit
> > between the proxy and the client, but very few do, and it's orthogonal
> > to the TLS-with-the-target-server issue.)
> > Mike
> I'm wondering if we can also consider using constrained delegation
> to allow authentication of the proxy. We could then negotiate
> TLS and bind it to a GSS/Kerberos exchange, forward a constrained
> credential, and then have the proxy negotiate TLS and authenticate the
> next hop, etc.
Wouldn't it be easier to not have proxies?
(That's a rhetorical question.)
More information about the Ietf-http-auth