Silvio Fonseca wrote: > > Citando Sam Hartman <[EMAIL PROTECTED]>: > > >>> I have an application that uses HTTP (or HTTPS) to communicate > >>> between the server and the clients and neither are browsers or > >>> web servers... > >Douglas> Another option is that OpenSSL can encapsulate Kerberos > >Douglas> tickets in what SSL thinks are certificates. > >Please don't do this is you can avoid it. Use either the Mozilla or > >the Microsoft style GSSAPI, or better yet don't use HTTP at all if you > >don't expect your application to be used by normal web browsers. > > I can avoid it... As I told Douglas, I have control over server and client > code, so is up to me to decide what I want... The lead developer idea was to > use the Microsoft implementation using the "WWW-Authenticate: Negotiate" tag, > but it's more likely that I'll use the Mozilla implementation (using GSS- > Negotiate in the tag and pure GSS code encoded in base64) only and later change > to SPNEGO, from what I readed in SPNEGO RFC and Microsoft Implementation, will > be simple... > > >There are some significant issues with RFC 2712 (Kerberos inside TLS) > >and even more significant issues with the OpenSSL implementation of > >that spec. > > There's (besides kx509) any implementation of this? Just to know, what issues??
kx509 is not an implementatrion of this at all. It in effect issues a x509 certificate and key which any browser can use. Kerberos is used to authenticate to the kca once a day or so to get a new certificate. The certificate is stored in the MS cert cache and looks just like any other certificate, except it has a short lifetime. Netscape can access the certificate and key via a PKCS11 plugin. > > -- > Silvio Fonseca > Linux Consultant > ------------------------------------------------- > Relato Consultoria de Inform�tica > Rua Mto. Jo�o Gomes de Ara�jo, 106 cj. 42 > Alto de Santana - S�o Paulo - SP > Telefones: (11) 6978-5253 / (11) 6978-5262 > Fax: (11) 6971-3115 > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
