[24631] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Kerberos support in Thunderbird

daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Mon Sep 12 13:41:02 2005

Date: Mon, 12 Sep 2005 13:39:56 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Jeffrey Altman <jaltman2@nyc.rr.com>, kerberos@mit.edu
Message-ID: <3613E5B5E0982CE7C94D545C@bistromath.pc.cs.cmu.edu>
In-Reply-To: <rWgVe.31254$%w.4370@twister.nyc.rr.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
cc: Jeffrey Hutzelman <jhutz@cmu.edu>
Errors-To: kerberos-bounces@mit.edu

On Monday, September 12, 2005 15:13:27 +0000 Jeffrey Altman 
<jaltman2@nyc.rr.com> wrote:

> This can end up causing some problems for end users.  It is entirely
> possible for the GSSAPI authentication to succeed and yet the user
> will be unable to access the mailbox they are attempting to reach
> because the principal used is not the one which has authorization for
> accessing the mailbox.

And yet, it is what nearly every Kerberized application in existance does, 
and it seems to work reasonably well.  I realize that you would like to see 
a better UI for client credential selection, but today, this is the best 
current practice.

That said, most mail software I've seen does allow the user to specify the 
authentication mechanism to use on a per-account basis.  That would seem to 
be appropriate here, as well.

-- Jeff
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post