[30134] in Kerberos
Re: SSO
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Jul 18 22:41:24 2008
To: kerberos@mit.edu
In-Reply-To: <78c6bd860807181436y73483b68k405ad4b116eda1bd@mail.gmail.com>
(Michael B. Allen's message of "Fri\,
18 Jul 2008 17\:36\:59 -0400")
From: Russ Allbery <rra@stanford.edu>
Date: Fri, 18 Jul 2008 19:40:45 -0700
Message-ID: <8763r2fvf6.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Michael B Allen" <ioplex@gmail.com> writes:
> Your choices are based on necessity, not trust. If the web application
> needs delegated credentials (e.g. to authenticate as the user with
> another tier), then you need to send the TGT [1].
Unless you use a system such as WebAuth or Cosign that supports limited
delegation, in which case you can send only exactly the credentials that
the web application needs.
> [1] Kerberos provides other ways to limit how the TGT can be used and to
> proxy service tickets and such but I don't think browsers have support
> for such things yet.
They don't so far as I know. Delegation in all the current browsers is an
all-or-nothing affair.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
