[6601] in Kerberos
Re: Authentication Only ?
daemon@ATHENA.MIT.EDU (Michael Grubb)
Mon Feb 5 11:46:49 1996
To: kerberos@MIT.EDU
Date: 5 Feb 1996 11:01:56 -0500
From: mg@ac.duke.edu (Michael Grubb)
In article <4f03af$aes@news.duke.edu>,
mg@ac.duke.edu (Michael Grubb) writes:
>|> Depending on your environment, the user community may be willing to
>|> trust a single, trustworthy web authentication service managed by the
>|> same people managing the KDC.
In article <4f2vis$4o7@jik.datasrv.co.il>,
Jonathan Kamens <jik@annex-1-slip-jik.cam.ov.com> writes:
>Trusting the web authentication service isn't the problem. Trusting all the
>people who can put snoopers on the wire and capture your password as you're
>sending it *to* the web authentication service is the problem.
That's why I suggested encrypting the transaction via, for example, SSL.
Consider that there may be two separable problems here: cleartext passwords
over the wire that can be snooped, and giving your password to anything other
than your local kinit program. The former is easily fixed with readily
available technology such as SSL. The latter is only addressed by a
kerberized http, as in the latest versions of Mosaic and httpd from NCSA.
-- M.
--
Michael Grubb <mg@oit.duke.edu> "not qualified to appear in public"
