httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin A. Burton" <>
Subject Re: Kerberos authentication and authentication (proxy ticket forwarding)
Date Sat, 06 Nov 1999 07:57:03 GMT
I wonder if this should just be done through PAM?


Mike Spreitzer wrote:
> It seems to me that it would be good to have an open standard for how to do
> Kerberos authentication and authorization for the web, and that you guys
> would support this and implement it; does this sound right to you?
> The authorization part I'm referring to is the ability to forward proxy
> tickets, including ticket-granting tickets, from client to server.
> Kerberos is already established in the UNIX community, and is about have a
> significant presence in the Windows community (due to it being the basis
> for Windows 2000 security).  This presents us with the happy prospect of
> something those two communities can agree on!
> We already have RFC 2712, which tells how to use Kerberos for
> authentication, integrity, and confidentiality in TLS (and specifies that
> no X.509 certificates are exchanged).  However, TLS has not traditionally
> taken any farther than this, so using it to forward tickets seems a bit
> odd.  But not unthinkable; RFC 1964 standardizes a way to put tickets in
> the checksum field of the Kerberos "Authenticator" (and the Authenticator
> *is* used in RFC 2712).  This might be a possible way to go.  Another
> possibility is whatever Microsoft has already implemented for IE&IIS in
> Win2K.
> What do you think?
> Thanks,
> Mike


Kevin A Burton
Mobile:  408-910-6145
"...there is something outside yourself that has to be served, when that
need is
gone, when belief has died... what are you?  A man without a Master."

View raw message