On Thu, 2004-03-04 at 20:43, Russ Allbery wrote: > Christopher Kranz <[EMAIL PROTECTED]> writes:
> > It occurred to me that if you think of the web client as the credentials > > cache Kerberos could easily be used as a WebISO solution. The web > > client connects to the web app. If you don't already have a service > > ticket you get redirected to a login server that will prompt you for > > your Kerberos password and get a TGT for you if you do not already have > > one. So in a sense the web client plus the login server combined looks > > like the traditional Kerberos client. The login server contacts the KDC > > and gets a TGT and creates a service ticket for the web app. It ships > > these back to the web client as cookies. The web client now has > > credentials to give to the web app. If the client connects to another > > Kerberized web app it is again redirected to the login server but this > > time it can use the stored TGT to obtain a service ticket for the new > > web application. > > This is exactly the design of Stanford's WebAuth v3. :) See: > > <http://webauthv3.stanford.edu/> Isn't this very similar to the what Passport and Project Liberty propose to use? Basically, its a variation of the "secure cookie" scheme. Netegrity does something similar as well. Is there a comparison anywhere between webauthv3 and the WebISO used by the above mentioned projects? I would be very interested in the comparison, just to know who is doing what, exactly, and what the benefits are for each system. One thing I dislike about webauth is that it is using raw KRB5 as opposed to the more portable and extensible GSSAPI interface. Why was GSSAPI not chosen? Using raw KRB5 protocol means tying one to a particular Kerberos implementation (MIT, Heimdal, Solaris, Microsoft). GSSAPI is a standard interface and is thus more portable across platforms and does not restrict a site to only using one Kerberos implementation. It also does not restrict one to using Kerberos as the secure authentication protocol. What about projects that just add support for new authentication methods like the "Auth Negotiate" scheme that Microsoft uses? Work is being done by the Mozilla project to support Kerberos auth via GSSAPI in a compatible manner: http://bugzilla.mozilla.org/show_bug.cgi?id=17578 -- Wyllys Ingersoll <wyllys.ingersoll AT sun DOT com> ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
