Browser authentication

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Fri Feb 27 08:07:33 EST 2004


Andreas,

The SASL/GSS/HTTP approach is considered by some (including myself) to be better than the SPNEGO based solution that Microsoft have included in IE and IIS. The MS solution is based on an individual IETF draft and didn't progress to a standard, but is widely used.

We (CyberSafe) have implemented our own GSS based web browser authentication solution works with any browser (without any updates to the browser that is installed on each workstation) and can be ported to any web server, but we currently only support Apache. Our solution has the advantage that it will work with web server clusters as well as offering replay attack detection and the ability to work with proxy servers. The MS solution does not work with a proxy server and hence MS ISA Server is not supported (for example).

I agree, that this is better discussed within the SASL IETF WG instead of Kerberos WG.

Regards, Tim.

-----Original Message-----
From: Andreas [mailto:andreas at conectiva.com.br] 
Sent: 27 February 2004 13:05
To: kerberos at mit.edu
Subject: Re: Browser authentication

On Mon, Feb 23, 2004 at 09:20:26AM -0500, Wyllys Ingersoll wrote:
> The correct way to do this is with GSSAPI, Microsoft implemented

Couldn't SASL be used instead (and then gssapi)? Maybe a question for another forum, though.

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list