[24643] in Kerberos
Re: Kerberos support in Thunderbird
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Sep 14 19:08:28 2005
To: Jeffrey Hutzelman <jhutz@cmu.edu>
From: Sam Hartman <hartmans@mit.edu>
Date: Wed, 14 Sep 2005 19:07:02 -0400
In-Reply-To: <3613E5B5E0982CE7C94D545C@bistromath.pc.cs.cmu.edu> (Jeffrey
Hutzelman's message of "Mon, 12 Sep 2005 13:39:56 -0400")
Message-ID: <tslvf138d0p.fsf@cz.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: Jeffrey Altman <jaltman2@nyc.rr.com>
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz@cmu.edu> writes:
Jeffrey> On Monday, September 12, 2005 15:13:27 +0000 Jeffrey
Jeffrey> Altman
Jeffrey> <jaltman2@nyc.rr.com> wrote:
>> This can end up causing some problems for end users. It is
>> entirely possible for the GSSAPI authentication to succeed and
>> yet the user will be unable to access the mailbox they are
>> attempting to reach because the principal used is not the one
>> which has authorization for accessing the mailbox.
Jeffrey> And yet, it is what nearly every Kerberized application
Jeffrey> in existance does, and it seems to work reasonably well.
Jeffrey> I realize that you would like to see a better UI for
Jeffrey> client credential selection, but today, this is the best
Jeffrey> current practice.
I actually have to agree with Jeff Hutzelman here. I think you
definitely want the default behavior to be what Thunderbird is doing
now: use the default principal and do gss if the server offers it.
--Sam
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos