Macintosh Safari Browser and IIS with Kerberos

[Tim Alsop]

Sam,

Thankyou for correcting me on this.

It is very unfortunate that so many companies/people are using, or considering using this 'individual submission' for their Kerberos web authentication needs. I keep hearing about references to products/companies/people who have added this SPNEGO protocol to Apache, Netscape, Mozilla etc. just so that their products can remain compatible with Microsoft IE and IIS. It appears Apple did the same ...

If will be useful, if in the future this submission gets taken by somebody, improved and progressed through IETF.

Looks like we will have to live with it for now !

Tim.

-----Original Message-----
From: Sam Hartman [mailto:hartmans at mit.edu] 
Sent: 05 December 2003 17:42
To: Tim Alsop
Cc: swbell; kerberos at mit.edu
Subject: Re: Macintosh Safari Browser and IIS with Kerberos

>>>>> "Tim" == Tim Alsop <Tim.Alsop at CyberSafe.Ltd.UK> writes:

    Tim>    Sam,

    Tim>    Surely one view to take on this is :

    Tim>    Apple have taken a decision to implement the IETF draft
    Tim> protocol that Microsoft use in IE and IIS. They have done
    Tim> this, but not correctly.  If they are going to implement an
    Tim> IETF draft they should make their browser work the same way
    Tim> that IE works so that IIS cannot tell the difference ???

This  is  wrong on so many levels, including:

* The protocol is an individual submission, not an IETF draft.  It has
  not been subjected to IETf review, and the review it has received is
  rather negative.


* The draft does not mandate any particular policy for when
  credentials are delegated.