Rickard Oberg wrote: > ... > > And in this last step comes the problem: since B is on the DMZ with no > access to the internal network where A resides, is this scenario > possible? It would seem that B needs to have a way to validate the > ticket without contacting A for this to work. > > ... > As you said, the DMZ service needs a way to verify the ticket without any other information. That might be possible by modifying the ticket generator. Instead of random text, make the ticket an encrypted message that the CAS client can decrypt and verify without needing to contact the server. But, this makes a whole new set of problems to solve.
I believe Pubcookie uses a method like that and has addressed most of the problems. <http://www.pubcookie.org/docs/how-pubcookie-works.html> John _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
