[7202] in Kerberos
Re: Kerberos and JAVA
daemon@ATHENA.MIT.EDU (Doug Engert)
Thu May 2 17:52:18 1996
Date: Thu, 2 May 1996 16:42:20 -0500
From: Doug Engert <DEEngert@anl.gov>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: dennis.glatting@plaintalk.bellevue.wa.us, jwk3@acpub.duke.edu (Jay Kamm),
kerberos@MIT.EDU
In-Reply-To: <tsl68ae3jic.fsf@tertius.mit.edu>
Sam Hartman writes:
> Netscape and some other web browsers have support for a
> public-key server authentication system called SSL. To upgrade it,
> you upgrade your web browser.
>
> Without getting into specific issues involved in the design of
> this scheme, you are basically admitting my point: you need security
> hooks inside the native code on the user's computer for security to
> work. I would prefer some sort of fully functional system--Kerberos
> within an organization large enough to justify it, some sort of public
> key system for consumers--than an over simplistic approach that allows
> me to download security-related class files.
Gradient is now selling their WebCrusader product, which among other
things uses a "proxy" agent running on the same machine as your
favorite browser. The browser sends all of its requests to the proxy.
The proxy understands OSF/DCE and will route normal traffic using
normal http type requests, but will use DCE secure RPCs to contact the
WebCrusader Server. The user authenticates to the proxy on the workstation.
DCE uses Kerberos 5 for authentication, and Kerberos 5 clients can
use the DCE security server as a K5 KDC.
I have not tried the WebCrusader yet, but have run the Gradient DCE PC
code to do a dcelogin, and used this with a Kerberized K5 telnet and
rlogin.
So your "fully functional system--Kerberos within an organization
large enough to justify it", including secure web access, is almost a
reality.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
