[24377] in Kerberos
Re: HTTP mutual auth [Was: Need some tips on kerberizing our ENTIRE
daemon@ATHENA.MIT.EDU (Wyllys Ingersoll)
Mon Aug 1 11:10:46 2005
Message-ID: <42EE3B17.4090902@sun.com>
Date: Mon, 01 Aug 2005 11:09:11 -0400
From: Wyllys Ingersoll <wyllys.ingersoll@sun.com>
MIME-Version: 1.0
To: Fred Dushin <fadushin@fourfold.org>
In-Reply-To: <500CE218-6643-4739-9939-D817DD46C65D@fourfold.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: Russ Allbery <rra@stanford.edu>
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
I *think* the problem is that Microsoft is returning a "200 OK" message
but it has
additional authentication header fields attached to it. If they were
using the 401
code, that would be OK, but they are using 200 and adding the final
mutual-auth
GSSAPI tokens to it, which, I believe, is a violation. At least that is
what the Mozilla
guys told me a while ago when I was working on it.
-Wyllys
Fred Dushin wrote:
>
> Could you elaborate on how this would break the HTTP spec? I was
> under the (admittedly naive) impression that more or less any
> challenge-response authentication mechanism could be implemented in
> HTTP via the HTTP 401 error code. So presumably I would think that
> GSS context tokens could be exchanged through this mechanism. (E.g.,
> client sends a request with an initial context token, server returns
> an HTTP 401 with a continuation token, client resends request with
> context completion token, and perhaps subsequent requests contain
> some context identifier)
>
> This approach may not be standard, but a standard authentication
> mechanism could theoretically be proposed. I don't see how it breaks
> HTTP, but I'm not an HTTP expert.
>
> Thanks, Fred
>
> On Jul 11, 2005, at 12:59 PM, Wyllys Ingersoll wrote:
>
> > Mutual authentication is not supported correctly because it is not
> > possible to do so without violating the HTTP spec.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
