HTTP && HTTPS Transport Review

Nico Williams nico at
Fri Aug 16 14:15:41 EDT 2013

On Fri, Aug 16, 2013 at 11:07:10AM -0700, Henry B. Hotz wrote:
> The fact that there is no existing (non-proprietary) spec means you
> are in effect asking MIT to "take sides".

[Not speaking for the OP.]

Or MIT could implement both...

> 1) K5-over-http is (or at least should be from a design perspective)
> orthogonal to the question of K5-over-TLS.  There is also STARTTLS.
> The value of it is independent of the value of using http[s]://.

The primary motivator for using HTTP(S) is firewall traversal, not TLS.

> 2) As Nico said GET is supposed to be idempotent.  The only violation
> in the existing Heimdal implementation is that the KDC does not record
> the session key to guarantee a repeat request gets a literally
> identical (as opposed to functionally equivalent) response.
> Considering how other things have worse violations, I don't think
> that's important.

I'm not even sure that that's not RESTful, but it's a triviality.

> 3) The standards community has already voted to support FAST over
> STARTTLS when full content privacy of the AS exchange is needed.  That
> would seem to conflict with using https:// in some philosophical
> sense.  It also makes https://, as opposed to just http://, redundant.

We have?

> I guess what it boils down to is:  are you doing this because it's
> easier to get http:// to traverse some naive firewall?  Or are you
> doing this because you want to be Microsoft compatible?

It's almost certainly the first.  HTTP is the new IP (and has been).


More information about the krbdev mailing list