httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Spreitzer" <sprei...@parc.xerox.com>
Subject Kerberos authentication and authentication (proxy ticket forwarding)
Date Thu, 04 Nov 1999 23:43:24 GMT
It seems to me that it would be good to have an open standard for how to do
Kerberos authentication and authorization for the web, and that you guys
would support this and implement it; does this sound right to you?

The authorization part I'm referring to is the ability to forward proxy
tickets, including ticket-granting tickets, from client to server.

Kerberos is already established in the UNIX community, and is about have a
significant presence in the Windows community (due to it being the basis
for Windows 2000 security).  This presents us with the happy prospect of
something those two communities can agree on!

We already have RFC 2712, which tells how to use Kerberos for
authentication, integrity, and confidentiality in TLS (and specifies that
no X.509 certificates are exchanged).  However, TLS has not traditionally
taken any farther than this, so using it to forward tickets seems a bit
odd.  But not unthinkable; RFC 1964 standardizes a way to put tickets in
the checksum field of the Kerberos "Authenticator" (and the Authenticator
*is* used in RFC 2712).  This might be a possible way to go.  Another
possibility is whatever Microsoft has already implemented for IE&IIS in
Win2K.

What do you think?

Thanks,
Mike

Mime
View raw message