Robert Collins wrote:
> Yes but HOW does the upstream cache communicate to the downstream that it supports this? If it doesn't communicate this, Digest
> authentication (if that's being used) _will_ fail. And the upstream provider may have a problem with their cache and switch box's
> temporarily. Squid doesn't assume HTTP 1.1 for a cache peer - it detects it. Sure they have a peering agreement BUT the protcol
> needs to communicate it's capabilities.
It doesn't need to. It is a requirement in the peering agreement between
the two administrative domains. If the peering agreement didn't require
the user credentials to be passed, why should they?
> actually it doesn't achieve both things. That's my point. It's a neat little hack for now, but it won't cleanly and reliably grow
> into the existing authentication protocols that do prevent replay & spoofing - because they are designed to prevent in-transit
> changes which overloading the user is.
Point taken.
So for such schemes, the upstream using my proposal cannot take the
shortcut and handle all users as one. This means the backend must be
aware of the method, or that the (backend) user database includes all
users for each downstream.
Does not look as neat, but still manageable I think.
/Henrik
Received on Tue Jan 09 2001 - 18:02:15 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:16 MST