> On Sun, 7 Nov 1999, Paul Khavkine wrote:
>
> > Maybe you should try kerberosV
>
> Is there a (practical!) way to use kerberosV with IE, Netscape, Outlook,
> Eudora and all the stuff which end-users use?
Actually, yes. But that is not the reason for my desire to determine
how Cert Mapping should work.
For Eudora you use a K5 based implementation of Kclient.dll.
For the others, you use an out of band authentication callback
service, S/Identd. I have added support for S/Identd to TCP Wrappers
for use in filtering access to services that do not support any form
of authentication.
The third method is the TLS Kerb5 cipher suite which I would like to
see implemented (by someone outside the U.S.) in OpenSSL.
It is also possible to use a Kerberos 5 authenticated service to issue
X.509 certs on demand. This is what several Universities do. When
you authenticate with Kerberos you are issued an anonymous X509 cert
with a lifetime equal to the K5 TGT lifetime. The cert key is
inserted into an LDAP database so other services on the campus web can
perform the mapping from cert to userid. However, there is no method
to determine from the cert itself who it belongs to.
---
What I was hoping to determine from this thread was whether or not by
using a verified cert one could determine in a trusted manner who the
user is. It sounds to me like the answer to that is 'no'. That if a
user wants to use a Verisign cert then the user will have to register
the cert with the system that is going to accept it before being able
to use it.
In other words, we still have a long way to go.
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
