Kerberos support in Thunderbird

Sam Hartman hartmans at MIT.EDU
Wed Sep 14 19:07:02 EDT 2005


>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz at cmu.edu> writes:

    Jeffrey> On Monday, September 12, 2005 15:13:27 +0000 Jeffrey
    Jeffrey> Altman
    Jeffrey> <jaltman2 at nyc.rr.com> wrote:

    >> This can end up causing some problems for end users.  It is
    >> entirely possible for the GSSAPI authentication to succeed and
    >> yet the user will be unable to access the mailbox they are
    >> attempting to reach because the principal used is not the one
    >> which has authorization for accessing the mailbox.

    Jeffrey> And yet, it is what nearly every Kerberized application
    Jeffrey> in existance does, and it seems to work reasonably well.
    Jeffrey> I realize that you would like to see a better UI for
    Jeffrey> client credential selection, but today, this is the best
    Jeffrey> current practice.

I actually have to agree with Jeff Hutzelman here.  I think you
definitely want the default behavior to be what Thunderbird is doing
now: use the default principal and do gss if the server offers it.


--Sam



More information about the Kerberos mailing list