WebISO: the killer kerberos app?

Wyllys Ingersoll wyllys.ingersoll at sun.com
Mon Mar 8 14:32:28 EST 2004


On Mon, 2004-03-08 at 14:21, Russ Allbery wrote:
> Wyllys Ingersoll <wyllys.ingersoll at sun.com> writes:
> 
> > Writing new code is the barrier that will prevent it from going much
> > beyond the experimental stage unless it is adopted by a mainstream
> > browser (mozilla) and web server (apache).
> 
> What makes you think that WebAuth hasn't gone beyond the experimental
> stage?
> 

I guess I chose the wrong words there.  Basically, I just meant moving
it beyond Stanford and into the mainstream.  I did not mean to 
marginalize your efforts.


> >> My impression is that Kerberos v5 is a standardized protocol and that
> >> compatibility bugs are considered exactly that and fixed.  Am I being
> >> naive about that?
> 
> > The protocol is standard, but the programming APIs are not.  A site 
> > with MIT libraries will not be able to run apps that compiled against
> > Heimdal libraries, for example.  GSSAPI is a standardized programming
> > API, code that is properly written will generally compile cleanly
> > against MIT, Heimdal, and Solaris GSSAPI libraries without modifying
> > with the code.
> 
> This is not my experience in maintaining Kerberos software that has to
> work with both MIT and Heimdal.  The GSSAPI implementations are subtlely
> different and require Autoconf detection to work out the right things to
> do.  I've had to do more porting of GSSAPI code than raw Kerberos v5 code,
> in fact.

That may be true depending on whether or not the code is calling
non-standard bits of GSSAPI.  Each vendor has implemented some 
non-standards GSSAPI calls that are generally not as portable.
However, it is possible to write portable GSSAPI without much
trouble, one must just be aware of what parts are standard
API and what are private/non-standard.

> 
> I have no experience with Sun Kerberos and know of no one who's using it,
> so I can't comment there.

ouch! :)   Its based on MIT KRB5, but we do not expose the raw KRB5
APIs, instead we recommend that developers write to the GSSAPI layer
for portability and extensibility.


> > Agreed.  However, the systems need to already have Kerberos software
> > installed and configured in order to even consider using browser SSO,
> 
> No, they don't.
> 
> I think you've missed how WebAuth works.  It doesn't require any software
> on the client side whatsoever except for a browser that supports SSL and
> cookies.

Ah, I see what you mean.  You are correct, I misunderstood the client
side requirements.

-Wyllys






More information about the Kerberos mailing list