HTTP mutual auth [Was: Need some tips on kerberizing our ENTIRE network]

[Wyllys Ingersoll]

I *think* the problem is that Microsoft is returning a "200 OK" message 
but it has
additional authentication header fields attached to it.   If they were 
using the 401
code, that would be OK, but they are using 200 and adding the final 
mutual-auth
GSSAPI tokens to it, which, I believe, is a violation.  At least that is 
what the Mozilla
guys told me a while ago when I was working on it.

-Wyllys


Fred Dushin wrote:
>
>  Could you elaborate on how this would break the HTTP spec? I was
>  under the (admittedly naive) impression that more or less any
>  challenge-response authentication mechanism could be implemented in
>  HTTP via the HTTP 401 error code. So presumably I would think that
>  GSS context tokens could be exchanged through this mechanism. (E.g.,
>  client sends a request with an initial context token, server returns
>  an HTTP 401 with a continuation token, client resends request with
>  context completion token, and perhaps subsequent requests contain
>  some context identifier)
>
>  This approach may not be standard, but a standard authentication
>  mechanism could theoretically be proposed. I don't see how it breaks
>  HTTP, but I'm not an HTTP expert.
>
>  Thanks, Fred
>
>  On Jul 11, 2005, at 12:59 PM, Wyllys Ingersoll wrote:
>
> > Mutual authentication is not supported correctly because it is not
> > possible to do so without violating the HTTP spec.