kevin mcgowan <[EMAIL PROTECTED]> writes: > With kx.509, users have the power to never send their Kerberos password > over the network -- translating desktop single sign-on to the web. > Cosign uses no domain cookies, allows users to logout of all cosign > protected services, is capable of transferring Kerberos credentials > among authorized web servers over an encrypted channel (not in a domain > cookie or on the query string or in an implicit POST that requires > javascript), works through firewalls, works across domains, runs on > Apache 1.3, IIS, Java servlet containers, and has beta support for > Apache 2.0. Naturally, all of this software is open source. Comments, > suggestions, contributions, gladly accepted.
For whatever it's worth, the reason why we didn't go with a solution based on client-side certificates is that it doesn't make it possible for application servers to obtain credentials on behalf of the user and that was one of our requirements. (We were also a bit worried about client support -- cookie-based systems support lynx, for example. But that may be a solved problem now except for very marginal browsers.) The point about being able to do logout is a good one, though. With WebAuth, you basically have to exit the browser when you're done to log out; nothing else is really safe or sufficient. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos