[2928] in WWW Security List Archive
Re: S/KEY authentication over HTTP protocol
daemon@ATHENA.MIT.EDU (Adam Cain)
Wed Sep 11 21:52:06 1996
Date: Mon, 09 Sep 1996 19:52:51 -0500
To: Mary Ellen Zurko <zurko@osf.org>
From: Adam Cain <acain@ncsa.uiuc.edu>
Cc: briansp@ans.net, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
At 11:43 AM 9/11/96 -0400, you wrote:
>> which provides encryption (weak or strong) of the entire session. I'd
>> also like to see Kerberos support in HTTP. I believe I saw K4 and K5
>> hooks in S-HTTP, but I haven't looked at the spec in a while.
>
>Also, NCSA had a project to integrate Kerberos into its browser and
>server. They had something prototyped that did authentication, but
>not encryption, and had some hard-coded naming assumptions. I haven't
>heard any update on it since.
Kerberos authentication via HTTP is supported in HTTPd 1.5 (and 1.6b1)
as well as XMosaic 2.7b. The 'hard-coded naming' must refer to the fact
that we (interested parties on a mailing list) decided that the kerberos
principal name of the server be derived from the server name. This is
consistent with the intent of Kerberos, and having the server specify its
principal name in a 401 response opens things up for man-in-the-middle
attacks. Message content encryption is being revisited currently.
See http://www.ncsa.uiuc.edu/InformationServers/adam/paris/KRB1.HTM
Adam
