For whatever it's worth, the reason why we didn't go with a solution based
on client-side certificates is that it doesn't make it possible for
application servers to obtain credentials on behalf of the user and that
was one of our requirements. (We were also a bit worried about client
support -- cookie-based systems support lynx, for example. But that may
be a solved problem now except for very marginal browsers.)
This actually isn't true for kx509 -- at least not if one is using KCT. mod_kct uses evidence of the ssl handshake to request Kerberos credentials on behalf of the user:
http://www.citi.umich.edu/projects/kerb_pki/
From our perspective, it doesn't much matter how the user executed initial sign-on (e.g. with a password or with a cert), the rest of the session looks the same from the web app's perspective. What remains to be seen is what percentage of our users will actually bother to install client software to use web apps.
The point about being able to do logout is a good one, though. With WebAuth, you basically have to exit the browser when you're done to log out; nothing else is really safe or sufficient.
Like Stanford, Michigan's been in the webiso business for a very long time, and the inability to logout satisfactorily was one of our perennial gripes. It was difficult to implement, but I've been gratified that a vastly higher percentage of users than I expected actually take advantage of it on a regular basis.
Kevin
... "In, as you say, the mud." ...
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
