Dear James,
Thanks for your comments. I added more comments interspersed below.
On Wed, 18 Apr 2001, James P. Salsman wrote:
draft-elson-opes-icap-01.txt -- this draft has a three-part security
considerations section. The first part specifies Basic and Digest
Access HTTP Authentication MUST be used for the proxy servers being
described. The second part mentions, "eavesdroppers may be able to
record the unencrypted transactions between ICAP clients and servers"
which is interesting given that if they are able to do so, then they
are able to defeat the RFC 2617 Basic and Digest Authentication
required by the first section.
Isn't this true for any non-encrypted HTTP transaction currently in
the Internet. In the limitations section of RFC 2617 it says:
"Users and implementors should be aware that this protocol is not as
secure as Kerberos, and not as secure as any client-side private-key
scheme. Nevertheless it is better than nothing, better than what is
commonly used with telnet and ftp, and better than Basic
authentication."
The third part complains about how difficult the validation of
ICAP services will be. This is one of the more amusing yet
disturbing security considerations sections I have read in a long
time.
Our intention was to explicitly mention this issue. We did not intend
to solve in the spec the broader scope problem of service validation.
Best regards,
-Alberto