Kerberos support in Thunderbird

Jim Alexander jalex at cis.upenn.edu
Wed Sep 14 23:04:13 EDT 2005


In article <tslr7br8cw2.fsf at cz.mit.edu>, Sam Hartman <hartmans at mit.edu> wrote:
]
]sorry, but I'm fairly sure the GSSAPI SASL mechanism falls within the
]definition of IMAP secure authentication.

Yes, I wasn't at all clear what I meant there. I was not referring to the
general definition of "secure authentication," which GSSAPI certainly
falls into. I meant the "secure authentication" preference that appears
in other popular mailers - this usually means something like NTLM or
CRAM-MD5. I think it's current usage in Thunderbird is confusing.

In any case, as I said in other posts, I think that the user needs to
be given a way to explicitly specify the desired authentication mechanism,
and needs to be told when their auth of choice has failed, not just
autonegotiate down an auth chain in an undocumented order.

]    Jim> (b) If my ticket cache is empty, Thunderbird correctly posts
]    Jim> a "your server does not support secure authentication"
]    Jim> dialog. My key manager never prompts me to obtain a ticket.
]
]On Mac and Windows this is not at all what I'd expect.  I'd expect you
]to be prompted to get tickets.

Exactly, but instead Thunderbird just gives up and falls back to something
else, and it's totally unclear to the user what went wrong.

-- 

________ Jim Alexander __________________ jalex at cis.upenn.edu ________________
I have yet to see a problem, however complicated, which, when you looked at it
in the right way, did not become still more complicated.      -- Poul Anderson


More information about the Kerberos mailing list