Russ Allbery <[EMAIL PROTECTED]> write: > > kevin mcgowan <[EMAIL PROTECTED]> writes:
> > With kx.509, users have the power to never send their Kerberos password > > over the network -- translating desktop single sign-on to the web. > > Cosign uses no domain cookies, allows users to logout of all cosign > > protected services, is capable of transferring Kerberos credentials > > among authorized web servers over an encrypted channel (not in a domain > > cookie or on the query string or in an implicit POST that requires > > javascript), works through firewalls, works across domains, runs on > > Apache 1.3, IIS, Java servlet containers, and has beta support for > > Apache 2.0. Naturally, all of this software is open source. Comments, > > suggestions, contributions, gladly accepted. > For whatever it's worth, the reason why we didn't go with a solution based > on client-side certificates is that it doesn't make it possible for > application servers to obtain credentials on behalf of the user and that > was one of our requirements. (We were also a bit worried about client > support -- cookie-based systems support lynx, for example. But that may > be a solved problem now except for very marginal browsers.) Just to clarify, cosign does not depend on client-side certificates, but allows their use via kx.509. In the default case, the user sends their password over SSL to the cosignd for verification. Our answer to the proxy issue when certificates are used for authentication is Kerberized Credentials Translation (KCT). The web server captures the SSL handshake between itself and the client, forwards that handshake and other info to the KCT (a Kerberized service) running on a KDC machine which can issue Kerberos service tickets for the web server to use on the user's behalf. (Thus, translating from a PKI world to Kerberos.) The handshake is verified by the KCT so that it can verify that the end user requested service from the web server. The KCT has a list which specifies which web servers may request what kind of service tickets. K.C. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
