Macintosh Safari Browser and IIS with Kerberos

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Fri Dec 5 14:53:23 EST 2003


It looks like we are in agreement on this, but I have another comment to make ... 

A company will often prefer the solution that is included in the product they have deployed, if one exists, rather than installing any plug-in's or add-on's. They are often forced to consider technical superiority as a secondary priority and availability and ease of deployment become higher priority in the decision process. 

So, any alternative to SPNEGO or GSS-KRB5 for browser authentication will only be used if the browser and web server vendors/developers implement it into their native products. This is (IMHO) why Kerb-TLS has not been used by any customers - the desire is there, but the off-the-shelf browsers and Web servers do not include native support for it. I wish Kerb-TLS would have been chosen by Microsoft because it would give added protection with session keys for encryption of HTTP traffic. At the moment SSL (with X509 certificates) is needed for encrypted web communications when using Kerberos for authentication.

Tim.

-----Original Message-----
From: Sam Hartman [mailto:hartmans at mit.edu] 
Sent: 05 December 2003 19:39
To: wyllys.ingersoll at sun.com
Cc: kerberos at mit.edu
Subject: Re: Macintosh Safari Browser and IIS with Kerberos

>>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll at sun.com> writes:

    Wyllys> Rightly or wrongly, customers want this support and they
    Wyllys> want it without having to use IE.  The mozilla codebase
    Wyllys> allows for extensions such as this to be added (or
    Wyllys> deleted) pretty easily, so in the future, if HTTP-SASL
    Wyllys> becomes a reality, it can be supported easily, likewise
    Wyllys> krb5-tls.

O, to clarify, I agree this is useful technology.  As a customer, it is the best solution available to me today.

As a protocol developer, however, I cannot consider this to be a reasonable approach for standardization.

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list