On 12/11/10 5:59 AM, wren ng thornton wrote:
On 12/9/10 4:04 PM, Richard O'Keefe wrote:
As long as the material from Y replicated at X is *supposed* to be publicly available, I don't see a security problem here. Only Y accepts updates from outside, and it continues to do whatever authentication it would do without a mirror. The mirror X would *not* accept updates.
The security issue is how does a client, C, know to trust X (maybe X is evil) or know to trust the transmission of data from Y to X (maybe a man in the middle corrupted things and X has become a confused deputy), etc.
P.S., X can't really be a "confused deputy" here since X has no special privileges[1], rather X would become more of a confused librarian: y'know, the kindly old but somewhat senile librarian who occasionally mistakes your requests (like that time they gave you Cujo when you asked for a book on the care and feeding of pets, or the time they gave you some writings by the Marquis de Sade when you were doing research for your anatomy class). [1] The implicit trust C has for X usually isn't counted as a "privilege" in the security world. -- Live well, ~wren