[19557] in Kerberos
Re: GSSAPI x Kerberos
daemon@ATHENA.MIT.EDU (Frank Balluffi)
Fri Jul 11 14:19:58 2003
To: "Sam Hartman <hartmans" <hartmans@mit.edu>
Message-ID: <OF802F7ABE.5F85FA5D-ON85256D60.0060FC09@db.com>
From: "Frank Balluffi" <frank.balluffi@db.com>
Date: Fri, 11 Jul 2003 13:41:12 -0400
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Sam,
Can you be more specific about "significant issues with RFC 2712". Thanks.
Frank
Sam Hartman
<hartmans@MIT.EDU To: "Douglas E. Engert" <deengert@anl.gov>
> cc: "kerberos@mit.edu" <kerberos@mit.edu>
Sent by: Subject: Re: GSSAPI x Kerberos
kerberos-bounces@
mit.edu
07/11/2003 08:45
AM
>>>>> "Douglas" == Douglas E Engert <deengert@anl.gov> writes:
Douglas> silvio@gdora.com.br wrote:
>> Citando "Douglas E. Engert" <deengert@anl.gov>: > > The other
>> problem I'll have to solve is to implement the authentication >
>> over > > HTTP, any suggestions?
>> >
>> > Look at the kx509 from the University of Michigan. It uses
>> Kerberos > authentication > to obtain a short term
>> certificate. This certificate can then be used by IE > or
>> Netscape. > You then use the standard SSL in the browsers and
>> web servers. > The client can run on any Unix, Mac or Windows.
>>
>> Sorry, I forgot to give a few informations about why I need to
>> use GSS over HTTP (the link will help anyway :-))
>>
>> I have an application that uses HTTP (or HTTPS) to communicate
>> between the server and the clients and neither are browsers or
>> web servers...
Douglas> Another option is that OpenSSL can encapsulate Kerberos
Douglas> tickets in what SSL thinks are certificates.
Please don't do this is you can avoid it. Use either the Mozilla or
the Microsoft style GSSAPI, or better yet don't use HTTP at all if you
don't expect your application to be used by normal web browsers.
There are some significant issues with RFC 2712 (Kerberos inside TLS)
and even more significant issues with the OpenSSL implementation of
that spec.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
