HTTP && HTTPS Transport Review

Henry B. Hotz hotz at jpl.nasa.gov
Fri Aug 16 14:07:10 EDT 2013 

On Aug 13, 2013, at 9:17 AM, <krbdev-request at mit.edu> wrote:

>> * Please create a project page with a design writeup.  It is difficult
>> for us to review code without an accompanying design document, as we
>> have to intuit the design from the code changes.  If you don't have a
>> wiki account, you'll need to talk to Tom Yu (tlyu on irc) about
>> registering one; we unfortunately had to disable open registration
>> because of spammers.
> 
> Alright, I was hoping this would be small enough to not need a design
> page.  One has been created here:
> 
>    http://k5wiki.kerberos.org/wiki/Projects/HTTP_Transport

The fact that there is no existing (non-proprietary) spec means you are in effect asking MIT to "take sides".

Speaking as someone who doesn't use either of the extend k5-over-http thingies, I can make some observations:

1) K5-over-http is (or at least should be from a design perspective) orthogonal to the question of K5-over-TLS.  There is also STARTTLS.  The value of it is independent of the value of using http[s]://.

2) As Nico said GET is supposed to be idempotent.  The only violation in the existing Heimdal implementation is that the KDC does not record the session key to guarantee a repeat request gets a literally identical (as opposed to functionally equivalent) response.  Considering how other things have worse violations, I don't think that's important.

3) The standards community has already voted to support FAST over STARTTLS when full content privacy of the AS exchange is needed.  That would seem to conflict with using https:// in some philosophical sense.  It also makes https://, as opposed to just http://, redundant.

I guess what it boils down to is:  are you doing this because it's easier to get http:// to traverse some naive firewall?  Or are you doing this because you want to be Microsoft compatible?

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list