[24348] in Kerberos
HTTP mutual auth [Was: Need some tips on kerberizing our ENTIRE
daemon@ATHENA.MIT.EDU (Fred Dushin)
Thu Jul 28 07:48:16 2005
In-Reply-To: <42D2A57D.8010408@sun.com>
Mime-Version: 1.0 (Apple Message framework v733)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <500CE218-6643-4739-9939-D817DD46C65D@fourfold.org>
Content-Transfer-Encoding: 7bit
From: Fred Dushin <fadushin@fourfold.org>
Date: Thu, 28 Jul 2005 07:47:03 -0400
To: Wyllys Ingersoll <wyllys.ingersoll@sun.com>
cc: Russ Allbery <rra@stanford.edu>
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Could you elaborate on how this would break the HTTP spec? I was
under the (admittedly naive) impression that more or less any
challenge-response authentication mechanism could be implemented in
HTTP via the HTTP 401 error code. So presumably I would think that
GSS context tokens could be exchanged through this mechanism. (E.g.,
client sends a request with an initial context token, server returns
an HTTP 401 with a continuation token, client resends request with
context completion token, and perhaps subsequent requests contain
some context identifier)
This approach may not be standard, but a standard authentication
mechanism could theoretically be proposed. I don't see how it breaks
HTTP, but I'm not an HTTP expert.
Thanks,
Fred
On Jul 11, 2005, at 12:59 PM, Wyllys Ingersoll wrote:
> Mutual authentication is not supported correctly because it is not
> possible
> to do so without violating the HTTP spec.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
