[24643] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Kerberos support in Thunderbird

daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Sep 14 19:08:28 2005

To: Jeffrey Hutzelman <jhutz@cmu.edu>
From: Sam Hartman <hartmans@mit.edu>
Date: Wed, 14 Sep 2005 19:07:02 -0400
In-Reply-To: <3613E5B5E0982CE7C94D545C@bistromath.pc.cs.cmu.edu> (Jeffrey
 Hutzelman's message of "Mon, 12 Sep 2005 13:39:56 -0400")
Message-ID: <tslvf138d0p.fsf@cz.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: Jeffrey Altman <jaltman2@nyc.rr.com>
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu

>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz@cmu.edu> writes:

    Jeffrey> On Monday, September 12, 2005 15:13:27 +0000 Jeffrey
    Jeffrey> Altman
    Jeffrey> <jaltman2@nyc.rr.com> wrote:

    >> This can end up causing some problems for end users.  It is
    >> entirely possible for the GSSAPI authentication to succeed and
    >> yet the user will be unable to access the mailbox they are
    >> attempting to reach because the principal used is not the one
    >> which has authorization for accessing the mailbox.

    Jeffrey> And yet, it is what nearly every Kerberized application
    Jeffrey> in existance does, and it seems to work reasonably well.
    Jeffrey> I realize that you would like to see a better UI for
    Jeffrey> client credential selection, but today, this is the best
    Jeffrey> current practice.

I actually have to agree with Jeff Hutzelman here.  I think you
definitely want the default behavior to be what Thunderbird is doing
now: use the default principal and do gss if the server offers it.


--Sam

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post