HTTP mutual auth [Was: Need some tips on kerberizing our ENTIRE network]
Fred Dushin
fadushin at fourfold.org
Thu Jul 28 07:47:03 EDT 2005
Could you elaborate on how this would break the HTTP spec? I was
under the (admittedly naive) impression that more or less any
challenge-response authentication mechanism could be implemented in
HTTP via the HTTP 401 error code. So presumably I would think that
GSS context tokens could be exchanged through this mechanism. (E.g.,
client sends a request with an initial context token, server returns
an HTTP 401 with a continuation token, client resends request with
context completion token, and perhaps subsequent requests contain
some context identifier)
This approach may not be standard, but a standard authentication
mechanism could theoretically be proposed. I don't see how it breaks
HTTP, but I'm not an HTTP expert.
Thanks,
Fred
On Jul 11, 2005, at 12:59 PM, Wyllys Ingersoll wrote:
> Mutual authentication is not supported correctly because it is not
> possible
> to do so without violating the HTTP spec.
More information about the Kerberos
mailing list