ekr at rtfm.com
Thu Mar 9 10:54:04 PST 2006
Jeffrey Altman <jaltman at secure-endpoints.com> writes:
> Mike Shaver wrote:
>> On 7-Mar-06, at 9:05 PM, Sam Hartman wrote:
>>> You seem to be forgetting that HTTP has these things called proxies.
>>> HTTP auth is end-to-end but TLS is hop-by-hop.
>> Most HTTP proxies support CONNECT specifically to permit TLS to operate
>> end-to-end, do they not? (They can independently support TLS transit
>> between the proxy and the client, but very few do, and it's orthogonal
>> to the TLS-with-the-target-server issue.)
> There are a couple of issues that I see with using HTTP CONNECT. The
> first is that CONNECT is not standardized and the properties of the
> connections created via its use vary greatly. Some severely restrict
> the ports on which it can be used. Others apply very restricted time
> limits or data flow restrictions. I saw one proxy that supported
> CONNECT that would only allow a few Kbytes of data to flow outbound.
Well, it's technically standardized--see RFC 2817. I don't have any
real data on how consistent implementations are.
More information about the Ietf-http-auth