Challenging clients, why another ping-pong?

Nico Williams nico at cryptonector.com
Thu Feb 6 14:26:53 EST 2014


I brain-o'ed on privacy protection.  I understand what you meant now.
See what Greg and Russ have to say.  But I'll add a piece here as
well:

 - HTTP is not a simple protocol: there are proxies and routers involved.

 - HTTP servers often act as routers.

 - There can be many hops.

 - A notional service might be composed of many sub-services.  How to
authenticated them to the user?

 - HTTP is NOT connection-oriented.  Requests and responses go over
the same pipe, but that's about as far as connections relate to
requests.

Clearly a single GSS security context token exchange per-connection
isn't going to cut it, even with TLS and channel binding to it.

Clearly a GSS security context token exchange per-request (!) is
awful, though it is what actually happens in many cases.

Several attempts have been made to address this.  At the moment there
seems to be no interest in actually implementing and standardizing any
proposals other than Google's channel-bound cookie concept.  I believe
that to be a fine solution.  I'll explain more later.

Nico
--


More information about the Kerberos mailing list