SSL proxy info

["Paul D. Robertson" <proberts () clark net>]

I was just wondering if anyone had a consensus of SSL proxy capabilities
from a firewall perspective.  There seem to be three general schemes, the
first is to just pass the encrypted transport straight through, which
ensures the user's privacy, but not the site's security.  The second is
one which allows the HTTP headers to be examined, but not the data, which
in my mind seems almost as bad security-wise as the first, though at least
you can check site names, and do connection policy enforcement somewhat.
The last is to get a proxy with specific support for what ammounts to a
MITM attack on the crypto, and allows complete inspection of the packet
contents prior to re-encryption.  At the moment I'm strongly favoring the
last, as I don't think that from a business perspective, there's a good
deal of argument for not being able to inspect packets, but I was
wondering if anyone else had specific thoughts on the issues, and
generally available implementations.  Patent-wise, given the expiration
of Diffie-Hellman (6 Sep), and the pending expiration of Hellman-Merkle
(6 Oct), freely available SSL with V3.0 (D-H, SHA, DES) is now a
possibility in the US (for as long as the government stays away), and I
see this as an important change. 

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280