GSSAPI x Kerberos

Douglas E. Engert deengert at anl.gov
Tue Jul 15 09:40:53 EDT 2003 


Silvio Fonseca wrote:
> 
> Citando Sam Hartman <hartmans at mit.edu>:
> 
> >>> I have an application that uses HTTP (or HTTPS) to communicate
> >>> between the server and the clients and neither are browsers or
> >>> web servers...
> >Douglas> Another option is that OpenSSL can encapsulate Kerberos
> >Douglas> tickets in what SSL thinks are certificates.
> >Please don't do this is you can avoid it.  Use either the Mozilla or
> >the Microsoft style GSSAPI, or better yet don't use HTTP at all if you
> >don't expect your application to be used by normal web browsers.
> 
> I can avoid it... As I told Douglas, I have control over server and client
> code, so is up to me to decide what I want... The lead developer idea was to
> use the Microsoft implementation using the "WWW-Authenticate: Negotiate" tag,
> but it's more likely that I'll use the Mozilla implementation (using GSS-
> Negotiate in the tag and pure GSS code encoded in base64) only and later change
> to SPNEGO, from what I readed in SPNEGO RFC and Microsoft Implementation, will
> be simple...
> 
> >There are some significant issues with RFC 2712 (Kerberos inside TLS)
> >and even more significant issues with the OpenSSL implementation of
> >that spec.
> 
> There's (besides kx509) any implementation of this? Just to know, what issues??


kx509 is not an implementatrion of this at all. It in effect issues a x509 certificate
and key which any browser can use. Kerberos is used to authenticate to the kca once a day
or so to get a new certificate. The certificate is stored in the MS cert cache and looks
 just like any other certificate, except it has a short lifetime. Netscape can access 
the certificate and key via a PKCS11 plugin.   

> 
> --
> Silvio Fonseca
> Linux Consultant
> -------------------------------------------------
> Relato Consultoria de Informática
> Rua Mto. João Gomes de Araújo, 106 cj. 42
> Alto de Santana - São Paulo - SP
> Telefones: (11) 6978-5253 / (11) 6978-5262
> Fax: (11) 6971-3115
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list