Re: GSSAPI x Kerberos

Frank Balluffi Fri, 11 Jul 2003 10:48:48 -0700

Sam,

Can you be more specific about "significant issues with RFC 2712". Thanks.


Frank



                                                                                       
                                                
                      Sam Hartman                                                      
                                                
                      <[EMAIL PROTECTED]        To:       "Douglas E. Engert" <[EMAIL 
PROTECTED]>                                        
                      >                        cc:       "[EMAIL PROTECTED]" <[EMAIL 
PROTECTED]>                                         
                      Sent by:                 Subject:  Re: GSSAPI x Kerberos         
                                                
                      kerberos-bounces@                                                
                                                
                      mit.edu                                                          
                                                
                                                                                       
                                                
                                                                                       
                                                
                      07/11/2003 08:45                                                 
                                                
                      AM                                                               
                                                
                                                                                       
                                                
                                                                                       
                                                




>>>>> "Douglas" == Douglas E Engert <[EMAIL PROTECTED]> writes:

    Douglas> [EMAIL PROTECTED] wrote:
    >>  Citando "Douglas E. Engert" <[EMAIL PROTECTED]>: > > The other
    >> problem I'll have to solve is to implement the authentication >
    >> over > > HTTP, any suggestions?
    >> >
    >> > Look at the kx509 from the University of Michigan. It uses
    >> Kerberos > authentication > to obtain a short term
    >> certificate. This certificate can then be used by IE > or
    >> Netscape.  > You then use the standard SSL in the browsers and
    >> web servers.  > The client can run on any Unix, Mac or Windows.
    >>
    >> Sorry, I forgot to give a few informations about why I need to
    >> use GSS over HTTP (the link will help anyway :-))
    >>
    >> I have an application that uses HTTP (or HTTPS) to communicate
    >> between the server and the clients and neither are browsers or
    >> web servers...

    Douglas> Another option is that OpenSSL can encapsulate Kerberos
    Douglas> tickets in what SSL thinks are certificates.
Please don't do this is you can avoid it.  Use either the Mozilla or
the Microsoft style GSSAPI, or better yet don't use HTTP at all if you
don't expect your application to be used by normal web browsers.

There are some significant issues with RFC 2712 (Kerberos inside TLS)
and even more significant issues with the OpenSSL implementation of
that spec.

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos





--

This e-mail may contain confidential and/or privileged information. If you are not the 
intended recipient (or have received this e-mail in error) please notify the sender 
immediately and destroy this e-mail. Any unauthorized copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.


________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: GSSAPI x Kerberos

Reply via email to