"Ken Hornstein" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I believe Sam Hartman already pointed out that generating a new network > protocol to communicate with the KDC is a Really Bad Idea. In general, > that part of Kerberos is supposed to be invisible to you. You could > do that (I believe you said you wanted to avoid firewalls), but you > would be making yourself not interoperate with all of the existing code > that's already out there.
The WS-Security spec by MS/IBM/Verisign assumes that the Kerberos handshaking is done using the Kerberos protocol, but that routing of the session ticket is embedded in SOAP and that the SOAP body and/or headers are signed and/or encrypted using the Kerberos session key. I don't think that many people in the SOAP space seriously consider tunneling Kerberos through SOAP. > If you mean, "Is anyone using SOAP as a Kerberos client/KDC communication > protocol", the answer is likely no. Agree. Wouldn't make any sense whatsoever. MS/IBM/Verisign do actually have a TGT type in their WS-Security spec, but my understanding is that this may not stay. > If you're asking if anyone is using > Kerberos to authenticate a SOAP-based protocol ... I don't know. Yes; that exists. I did a Windows Kerberos SSP based implementation for this (based on the .NET Framework) available from our site at http://www.newtelligence.com/wsextensions . The implementation *should* be interoperable with GSSAPI if someone would implement the far portion of WS-Security on Unix (This stuff is mostly thought to serve as a .NET Web Services example). Best Regards Clemens newtelligence AG http://www.newtelligence.com clemensv >> newtelligence.com ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
