[19574] in Kerberos
Re: GSSAPI x Kerberos
daemon@ATHENA.MIT.EDU (Silvio Fonseca)
Tue Jul 15 03:56:37 2003
Message-ID: <1057933063.3f0ec708027a0@webmail.relato.com.br>
Date: Fri, 11 Jul 2003 11:17:44 -0300
From: Silvio Fonseca <silvio@gdora.com.br>
To: Sam Hartman <hartmans@mit.edu>
In-Reply-To: <87brw1w7tc.fsf@luminous.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
cc: "Douglas E. Engert" <deengert@anl.gov>
cc: "kerberos@mit.edu" <kerberos@mit.edu>
Errors-To: kerberos-bounces@mit.edu
Citando Sam Hartman <hartmans@mit.edu>:
>>> I have an application that uses HTTP (or HTTPS) to communicate
>>> between the server and the clients and neither are browsers or
>>> web servers...
>Douglas> Another option is that OpenSSL can encapsulate Kerberos
>Douglas> tickets in what SSL thinks are certificates.
>Please don't do this is you can avoid it. Use either the Mozilla or
>the Microsoft style GSSAPI, or better yet don't use HTTP at all if you
>don't expect your application to be used by normal web browsers.
I can avoid it... As I told Douglas, I have control over server and client
code, so is up to me to decide what I want... The lead developer idea was to
use the Microsoft implementation using the "WWW-Authenticate: Negotiate" tag,
but it's more likely that I'll use the Mozilla implementation (using GSS-
Negotiate in the tag and pure GSS code encoded in base64) only and later change
to SPNEGO, from what I readed in SPNEGO RFC and Microsoft Implementation, will
be simple...
>There are some significant issues with RFC 2712 (Kerberos inside TLS)
>and even more significant issues with the OpenSSL implementation of
>that spec.
There's (besides kx509) any implementation of this? Just to know, what issues??
--
Silvio Fonseca
Linux Consultant
-------------------------------------------------
Relato Consultoria de Informática
Rua Mto. João Gomes de Araújo, 106 cj. 42
Alto de Santana - São Paulo - SP
Telefones: (11) 6978-5253 / (11) 6978-5262
Fax: (11) 6971-3115
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
