[18350] in cryptography@c2.net mail archive
Re: Another entry in the internet security hall of shame....
daemon@ATHENA.MIT.EDU (Victor Duchovni)
Wed Aug 31 12:20:21 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 31 Aug 2005 12:06:58 -0400
From: Victor Duchovni <Victor.Duchovni@MorganStanley.com>
To: cryptography@metzdowd.com
Mail-Followup-To: cryptography@metzdowd.com
In-Reply-To: <4315A629.4090208@systemics.com>
On Wed, Aug 31, 2005 at 01:44:25PM +0100, Ian G wrote:
> Not only is there this distance, it is duplicated
> across all languages and all the different auth
> regimes and also for "homegrown" password auth,
> over every application! I'd wonder if given these
> barriers it will ever be possible to get change to
> happen?
>
At least here, the front-end servers handle a plethora of authentication
types including client certificate (so client password in TLS should work
too) and the authentication context is then propagated via cookies to
the deep stack of applications behind the perimeter servers. This said,
indeed this is a challenge. Any site that can get client certs working,
can handle variations on the theme, if their authentication happens
deep inside the system (say AD Domain controller behind the webservers)
it won't work.
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
