WebISO: the killer kerberos app?
kevin mcgowan
clunis at umich.edu
Tue Mar 9 09:38:38 EST 2004
On Mar 9, 2004, at 1:14 AM, Russ Allbery wrote:
> For whatever it's worth, the reason why we didn't go with a solution
> based
> on client-side certificates is that it doesn't make it possible for
> application servers to obtain credentials on behalf of the user and
> that
> was one of our requirements. (We were also a bit worried about client
> support -- cookie-based systems support lynx, for example. But that
> may
> be a solved problem now except for very marginal browsers.)
This actually isn't true for kx509 -- at least not if one is using KCT.
mod_kct uses evidence of the ssl handshake to request Kerberos
credentials on behalf of the user:
http://www.citi.umich.edu/projects/kerb_pki/
From our perspective, it doesn't much matter how the user executed
initial sign-on (e.g. with a password or with a cert), the rest of the
session looks the same from the web app's perspective. What remains to
be seen is what percentage of our users will actually bother to install
client software to use web apps.
> The point about being able to do logout is a good one, though. With
> WebAuth, you basically have to exit the browser when you're done to log
> out; nothing else is really safe or sufficient.
Like Stanford, Michigan's been in the webiso business for a very long
time, and the inability to logout satisfactorily was one of our
perennial gripes. It was difficult to implement, but I've been
gratified that a vastly higher percentage of users than I expected
actually take advantage of it on a regular basis.
Kevin
... "In, as you say, the mud." ...
More information about the Kerberos
mailing list