WebISO: the killer kerberos app?

[Russ Allbery]

kevin mcgowan <clunis at umich.edu> writes:

> With kx.509, users have the power to never send their Kerberos password
> over the network -- translating desktop single sign-on to the web.
> Cosign uses no domain cookies, allows users to logout of all cosign
> protected services, is capable of transferring Kerberos credentials
> among authorized web servers over an encrypted channel (not in a domain
> cookie or on the query string or in an implicit POST that requires
> javascript), works through firewalls, works across domains, runs on
> Apache 1.3, IIS, Java servlet containers, and has beta support for
> Apache 2.0.  Naturally, all of this software is open source.  Comments,
> suggestions, contributions, gladly accepted.

For whatever it's worth, the reason why we didn't go with a solution based
on client-side certificates is that it doesn't make it possible for
application servers to obtain credentials on behalf of the user and that
was one of our requirements.  (We were also a bit worried about client
support -- cookie-based systems support lynx, for example.  But that may
be a solved problem now except for very marginal browsers.)

The point about being able to do logout is a good one, though.  With
WebAuth, you basically have to exit the browser when you're done to log
out; nothing else is really safe or sufficient.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>