On Mon, 2004-03-08 at 14:21, Russ Allbery wrote: > Wyllys Ingersoll <[EMAIL PROTECTED]> writes: > > > Writing new code is the barrier that will prevent it from going much > > beyond the experimental stage unless it is adopted by a mainstream > > browser (mozilla) and web server (apache). > > What makes you think that WebAuth hasn't gone beyond the experimental > stage? >
I guess I chose the wrong words there. Basically, I just meant moving it beyond Stanford and into the mainstream. I did not mean to marginalize your efforts. > >> My impression is that Kerberos v5 is a standardized protocol and that > >> compatibility bugs are considered exactly that and fixed. Am I being > >> naive about that? > > > The protocol is standard, but the programming APIs are not. A site > > with MIT libraries will not be able to run apps that compiled against > > Heimdal libraries, for example. GSSAPI is a standardized programming > > API, code that is properly written will generally compile cleanly > > against MIT, Heimdal, and Solaris GSSAPI libraries without modifying > > with the code. > > This is not my experience in maintaining Kerberos software that has to > work with both MIT and Heimdal. The GSSAPI implementations are subtlely > different and require Autoconf detection to work out the right things to > do. I've had to do more porting of GSSAPI code than raw Kerberos v5 code, > in fact. That may be true depending on whether or not the code is calling non-standard bits of GSSAPI. Each vendor has implemented some non-standards GSSAPI calls that are generally not as portable. However, it is possible to write portable GSSAPI without much trouble, one must just be aware of what parts are standard API and what are private/non-standard. > > I have no experience with Sun Kerberos and know of no one who's using it, > so I can't comment there. ouch! :) Its based on MIT KRB5, but we do not expose the raw KRB5 APIs, instead we recommend that developers write to the GSSAPI layer for portability and extensibility. > > Agreed. However, the systems need to already have Kerberos software > > installed and configured in order to even consider using browser SSO, > > No, they don't. > > I think you've missed how WebAuth works. It doesn't require any software > on the client side whatsoever except for a browser that supports SSL and > cookies. Ah, I see what you mean. You are correct, I misunderstood the client side requirements. -Wyllys ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
