Macintosh Safari Browser and IIS with Kerberos
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Fri Dec 5 14:09:21 EST 2003
There is work in progress to add a mozilla "extension" that properly
supports the IE/IIS "negotiate" mechanism, either with SPNEGO or
with GSS/krb5 (either will work with IIS).
Rightly or wrongly, customers want this support and they want
it without having to use IE. The mozilla codebase allows
for extensions such as this to be added (or deleted) pretty easily,
so in the future, if HTTP-SASL becomes a reality, it can be
supported easily, likewise krb5-tls.
See this Mozilla bug report for the gory details:
http://bugzilla.mozilla.org/show_bug.cgi?id=17578
If there is to be any hope for a better solution, it will
have to be made available for both the servers (apache, et al),
and browsers (mozilla, safari, etc) and the public
will need to be educated as to why this is a superior
approach. Of course, it would also help if Microsoft would
adopt it in IIS and/or IE.
-Wyllys
On Fri, 2003-12-05 at 12:58, Sam Hartman wrote:
> >>>>> "Tim" == Tim Alsop <Tim.Alsop at CyberSafe.Ltd.UK> writes:
>
>
> Tim> If will be useful, if in the future this submission gets
> Tim> taken by somebody, improved and progressed through IETF.
>
> It will not. The HTTP and GSSAPI communities have both made it very
> clear that the approach is not generally acceptable.
>
> Please look at draft-nystrom-http-sasl-09.txt for an example of
> something going more in a direction that might progress within the
> IETF.
>
> Also, there is krb5 TLS, which is an RFC, but also has problems.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Wyllys Ingersoll <wyllys.ingersoll at sun.com>
More information about the Kerberos
mailing list