GSSAPI x Kerberos
Silvio Fonseca
silvio at gdora.com.br
Fri Jul 11 10:17:44 EDT 2003
Citando Sam Hartman <hartmans at mit.edu>:
>>> I have an application that uses HTTP (or HTTPS) to communicate
>>> between the server and the clients and neither are browsers or
>>> web servers...
>Douglas> Another option is that OpenSSL can encapsulate Kerberos
>Douglas> tickets in what SSL thinks are certificates.
>Please don't do this is you can avoid it. Use either the Mozilla or
>the Microsoft style GSSAPI, or better yet don't use HTTP at all if you
>don't expect your application to be used by normal web browsers.
I can avoid it... As I told Douglas, I have control over server and client
code, so is up to me to decide what I want... The lead developer idea was to
use the Microsoft implementation using the "WWW-Authenticate: Negotiate" tag,
but it's more likely that I'll use the Mozilla implementation (using GSS-
Negotiate in the tag and pure GSS code encoded in base64) only and later change
to SPNEGO, from what I readed in SPNEGO RFC and Microsoft Implementation, will
be simple...
>There are some significant issues with RFC 2712 (Kerberos inside TLS)
>and even more significant issues with the OpenSSL implementation of
>that spec.
There's (besides kx509) any implementation of this? Just to know, what issues??
--
Silvio Fonseca
Linux Consultant
-------------------------------------------------
Relato Consultoria de Informática
Rua Mto. João Gomes de Araújo, 106 cj. 42
Alto de Santana - São Paulo - SP
Telefones: (11) 6978-5253 / (11) 6978-5262
Fax: (11) 6971-3115
More information about the Kerberos
mailing list