GSSAPI x Kerberos

Frank Balluffi frank.balluffi at db.com
Fri Jul 11 13:41:12 EDT 2003


Sam,

Can you be more specific about "significant issues with RFC 2712". Thanks.

Frank



                                                                                                                                       
                      Sam Hartman                                                                                                      
                      <hartmans at MIT.EDU        To:       "Douglas E. Engert" <deengert at anl.gov>                                        
                      >                        cc:       "kerberos at mit.edu" <kerberos at mit.edu>                                         
                      Sent by:                 Subject:  Re: GSSAPI x Kerberos                                                         
                      kerberos-bounces@                                                                                                
                      mit.edu                                                                                                          
                                                                                                                                       
                                                                                                                                       
                      07/11/2003 08:45                                                                                                 
                      AM                                                                                                               
                                                                                                                                       
                                                                                                                                       




>>>>> "Douglas" == Douglas E Engert <deengert at anl.gov> writes:

    Douglas> silvio at gdora.com.br wrote:
    >>  Citando "Douglas E. Engert" <deengert at anl.gov>: > > The other
    >> problem I'll have to solve is to implement the authentication >
    >> over > > HTTP, any suggestions?
    >> >
    >> > Look at the kx509 from the University of Michigan. It uses
    >> Kerberos > authentication > to obtain a short term
    >> certificate. This certificate can then be used by IE > or
    >> Netscape.  > You then use the standard SSL in the browsers and
    >> web servers.  > The client can run on any Unix, Mac or Windows.
    >>
    >> Sorry, I forgot to give a few informations about why I need to
    >> use GSS over HTTP (the link will help anyway :-))
    >>
    >> I have an application that uses HTTP (or HTTPS) to communicate
    >> between the server and the clients and neither are browsers or
    >> web servers...

    Douglas> Another option is that OpenSSL can encapsulate Kerberos
    Douglas> tickets in what SSL thinks are certificates.
Please don't do this is you can avoid it.  Use either the Mozilla or
the Microsoft style GSSAPI, or better yet don't use HTTP at all if you
don't expect your application to be used by normal web browsers.

There are some significant issues with RFC 2712 (Kerberos inside TLS)
and even more significant issues with the OpenSSL implementation of
that spec.

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos





--

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.




More information about the Kerberos mailing list