credentials delegation over http
Adam Megacz
megacz at cs.berkeley.edu
Mon Jun 18 17:19:36 EDT 2007
I've noticed that with most browsers the user needs to manually
configure their browser to tell it to delegate credentials to certain
hosts:
http://www.grolmsnet.de/kerbtut/credentialsdelegation.html
If the user does not do so, they tend to get a fairly unhelpful
message back from the server ("authorization denied", etc).
Has there been any consideration given to including an HTTP
authorization header that amounts to "the server would like you to
delegate your credentials in order to proceed", so that web browsers
could prompt users for permission (with a suitably scary warning)
rather than the user having to figure out what setting to fiddle with?
Ideally this prompt could even include a duration dialog, so the
browser could fetch time-limited tickets (say, 30 seconds or so) and
send those to the sever instead of the 10+ hour TGT (this would be
ideal for something like mod_waklog).
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380
More information about the Kerberos
mailing list