HTTP && HTTPS Transport Review
nico at cryptonector.com
Fri Aug 16 14:15:41 EDT 2013
On Fri, Aug 16, 2013 at 11:07:10AM -0700, Henry B. Hotz wrote:
> The fact that there is no existing (non-proprietary) spec means you
> are in effect asking MIT to "take sides".
[Not speaking for the OP.]
Or MIT could implement both...
> 1) K5-over-http is (or at least should be from a design perspective)
> orthogonal to the question of K5-over-TLS. There is also STARTTLS.
> The value of it is independent of the value of using http[s]://.
The primary motivator for using HTTP(S) is firewall traversal, not TLS.
> 2) As Nico said GET is supposed to be idempotent. The only violation
> in the existing Heimdal implementation is that the KDC does not record
> the session key to guarantee a repeat request gets a literally
> identical (as opposed to functionally equivalent) response.
> Considering how other things have worse violations, I don't think
> that's important.
I'm not even sure that that's not RESTful, but it's a triviality.
> 3) The standards community has already voted to support FAST over
> STARTTLS when full content privacy of the AS exchange is needed. That
> would seem to conflict with using https:// in some philosophical
> sense. It also makes https://, as opposed to just http://, redundant.
> I guess what it boils down to is: are you doing this because it's
> easier to get http:// to traverse some naive firewall? Or are you
> doing this because you want to be Microsoft compatible?
It's almost certainly the first. HTTP is the new IP (and has been).
More information about the krbdev