Macintosh Safari Browser and IIS with Kerberos

Wyllys Ingersoll wyllys.ingersoll at sun.com
Fri Dec 5 19:32:25 EST 2003 

On Fri, 2003-12-05 at 14:53, Tim Alsop wrote:
> It looks like we are in agreement on this, but I have another comment to make ... 
> 
> A company will often prefer the solution that is included in the product
>  they have deployed, if one exists, rather than installing any plug-in's
>  or add-on's. They are often forced to consider technical superiority as
>  a secondary priority and availability and ease of deployment become higher
>  priority in the decision process. 

Yup, I agree.

> 
> So, any alternative to SPNEGO or GSS-KRB5 for browser authentication will
>  only be used if the browser and web server vendors/developers implement 
> it into their native products. This is (IMHO) why Kerb-TLS has not been used

Yes, agreed. Im pushing to get the SPNEGO stuff built as part of mozilla
by default and not having it be a plugin that is only available from
sourceforge or someplace like that.  Corporations are not going to 
standardize on something that requires an awkward addition in that
manner, it needs to be part of the original package.


>  by any customers - the desire is there, but the off-the-shelf browsers and 
> Web servers do not include native support for it. I wish Kerb-TLS would have
>  been chosen by Microsoft because it would give added protection with session
>  keys for encryption of HTTP traffic. At the moment SSL (with X509 certificates)
>  is needed for encrypted web communications when using Kerberos for authentication.
>
> Tim.
> 

So true.  Unfortunately, thats why we're stuck with IE and IIS and their
SPNEGO/HTTP implementation.  MS was the only vendor to implement this
and since they effectively control the development of both the browser
and the server (for their own platform), that is what customers see.
Even if Apache and Mozilla or [ insert you own favorite non-MS web
client here ] went in a separate direction with respect to
secure authentication, it would likely never catch on in a meaningful
way until it got IE support (or it became an essily pluggable addition
to IE).

I think folks can live without IIS, but its harder to get large
organizations to migrate away from IE, unfortunately for them and
for everyone with an interest in security.

The discussions in the mozilla bug for SPNEGO authentication have 
considered making SSL a requirement with the SPNEGO auth method
or at least making it a configurable option to have it be required.

-Wyllys


> -----Original Message-----
> From: Sam Hartman [mailto:hartmans at mit.edu] 
> Sent: 05 December 2003 19:39
> To: wyllys.ingersoll at sun.com
> Cc: kerberos at mit.edu
> Subject: Re: Macintosh Safari Browser and IIS with Kerberos
> 
> >>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll at sun.com> writes:
> 
>     Wyllys> Rightly or wrongly, customers want this support and they
>     Wyllys> want it without having to use IE.  The mozilla codebase
>     Wyllys> allows for extensions such as this to be added (or
>     Wyllys> deleted) pretty easily, so in the future, if HTTP-SASL
>     Wyllys> becomes a reality, it can be supported easily, likewise
>     Wyllys> krb5-tls.
> 
> O, to clarify, I agree this is useful technology.  As a customer, it is the best solution available to me today.
> 
> As a protocol developer, however, I cannot consider this to be a reasonable approach for standardization.

More information about the Kerberos mailing list