Re: Question ICAP-client

From: Alex Rousskov <rousskov@dont-contact.us>
Date: Thu, 22 Mar 2007 10:32:07 -0600

On Thu, 2007-03-22 at 16:26 +0100, Kinkie wrote:

> In this regard I see the ICAP server not to be any different from a
> proxy server, of which it is simply an extension.

Whether the trust boundary includes both the proxy and the ICAP server
depends on the setup. Being an "extension" is not always the same as
being a "trusted extension". And there may be several trust categories
involved.

> I just fail to see any
> added security in not sending all the information that the proxy server
> has to the ICAP server.

As I have tried to clarify, the problem we are discussing on this thread
(and the problem that the now-committed patch works on) is _not_ about
sending information to the ICAP server, but about treating requests
generated by the ICAP server as if they were authenticated by the
client.

$0.02,

Alex.
P.S. Still, "sending all the information that the proxy server has to
the ICAP server" is similar to sending all that information to another
proxy server: Sometimes it is appropriate, sometimes it is not. The
patch, however, does not affect what information is sent to the ICAP
server.
Received on Thu Mar 22 2007 - 10:32:26 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Apr 01 2007 - 12:00:01 MDT