>>This has always been a problem with the web. Not only do you not have
>>physical security of the device, you can not even be sure that it is the
>>device you are thinking it may be.
>
>
> Isn't this kind of thing exactly what Kerberos was designed for?
It is one of the things that Kerberos can do, but usually people
use a certificate for this.
> It's been a
> while since I've muddled with Kerberos so I don't know if there's a clean
> way to handle it for a web application. I know there are clients you can
> install that will handle the tickets, but I don't know what it would take to
> integrate them on the client side with the browser.
It takes an experimental Mozilla netlib ;-)
BTW, as of Win2K Windows authentication is largely based on
Kerberos, with a few extensions. So if you use Integrated Windows
Security, you are using Kerberos for browser authentication already.
Jochem
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
