[19576] in Kerberos
Re: GSSAPI x Kerberos
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Tue Jul 15 09:42:26 2003
Message-ID: <3F140465.BAD24A9@anl.gov>
Date: Tue, 15 Jul 2003 08:40:53 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Silvio Fonseca <silvio@gdora.com.br>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
cc: "kerberos@mit.edu" <kerberos@mit.edu>
cc: Sam Hartman <hartmans@mit.edu>
Errors-To: kerberos-bounces@mit.edu
Silvio Fonseca wrote:
>
> Citando Sam Hartman <hartmans@mit.edu>:
>
> >>> I have an application that uses HTTP (or HTTPS) to communicate
> >>> between the server and the clients and neither are browsers or
> >>> web servers...
> >Douglas> Another option is that OpenSSL can encapsulate Kerberos
> >Douglas> tickets in what SSL thinks are certificates.
> >Please don't do this is you can avoid it. Use either the Mozilla or
> >the Microsoft style GSSAPI, or better yet don't use HTTP at all if you
> >don't expect your application to be used by normal web browsers.
>
> I can avoid it... As I told Douglas, I have control over server and client
> code, so is up to me to decide what I want... The lead developer idea was to
> use the Microsoft implementation using the "WWW-Authenticate: Negotiate" tag,
> but it's more likely that I'll use the Mozilla implementation (using GSS-
> Negotiate in the tag and pure GSS code encoded in base64) only and later change
> to SPNEGO, from what I readed in SPNEGO RFC and Microsoft Implementation, will
> be simple...
>
> >There are some significant issues with RFC 2712 (Kerberos inside TLS)
> >and even more significant issues with the OpenSSL implementation of
> >that spec.
>
> There's (besides kx509) any implementation of this? Just to know, what issues??
kx509 is not an implementatrion of this at all. It in effect issues a x509 certificate
and key which any browser can use. Kerberos is used to authenticate to the kca once a day
or so to get a new certificate. The certificate is stored in the MS cert cache and looks
just like any other certificate, except it has a short lifetime. Netscape can access
the certificate and key via a PKCS11 plugin.
>
> --
> Silvio Fonseca
> Linux Consultant
> -------------------------------------------------
> Relato Consultoria de Informática
> Rua Mto. João Gomes de Araújo, 106 cj. 42
> Alto de Santana - São Paulo - SP
> Telefones: (11) 6978-5253 / (11) 6978-5262
> Fax: (11) 6971-3115
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
