Loading ...
Sorry, an error occurred while loading the content.

Standardize Kerberos authentication and authorization in HTTP?

Expand Messages
  • Mike Spreitzer
    It seems to me that it would be good to have an IETF standard on how to do Kerberos-based authentication and authorization in HTTP. By the authorization part
    Message 1 of 2 , Nov 2, 1999
    • 0 Attachment
      It seems to me that it would be good to have an IETF standard on how to do
      Kerberos-based authentication and authorization in HTTP. By the
      authorization part I mean the ability to pass proxy tickets, including
      forwarded and/or forwardable TGTs. RFC 2712 (Kerberos in TLS) clearly
      addresses the authentication part, but, because TLS doesn't address
      authorization, does not clearly address the authorization part. However, a
      possible approach would be to use RFC 1964's technique of putting forwarded
      tickets in the Authenticator (RFC 2712 *does* pass an Authenticator). A
      possible drawback of this approach is that some server-side products (e.g.,
      Java Servelet engines) may not pass as many TLS details as they should.

      Kerberos is well known in UNIX-land, and is coming in Windows 2000. In
      fact, Microsoft already has a way of doing both authentication and
      authorization based on Kerberos. An informed source tells me their
      technique, while not publicly documented, is based on IETF standards (e.g.,
      RFC 1964). A plausible and happy scenario would be for them to submit
      their technique, and a consensus formed around it.

      Does this make sense to you?

      Where should such an effort be homed? Larry assures me the HTTP-WG is
      shutting down and won't take any new work. I don't have any strong opinion
      on the matter.

      Thanks,
      Mike Spreitzer <spreitze@...>
      http://parcweb.parc/spreitze/ (Xerox internal)
      http://www.parc.xerox.com/spreitze/ (external)
      +1-650-812-4833
    • Kevin J. Dyer
      ... Shouldn t WWW Security be the sponsor of such an effort? HTTP is the basic protocol but it is up to the relevant WGs to recommend track enhancements that
      Message 2 of 2 , Nov 3, 1999
      • 0 Attachment
        At 04:52 PM 11/2/99 , Mike Spreitzer wrote:


        >Where should such an effort be homed? Larry assures me the HTTP-WG is
        >shutting down and won't take any new work. I don't have any strong opinion
        >on the matter.

        Shouldn't WWW Security be the sponsor of such an effort? HTTP is the
        basic protocol but it is up to the relevant WGs to recommend track
        enhancements that will support the additional requirements (e.g.
        WEBDAV).
        ===========================================================
        Kevin J. Dyer Draper Laboratory MS 35
        Email: <kdyer@...> 555 Tech. Sq.
        Phone: 617-258-4962 Cambridge, MA 02139
        FAX: 617-258-2061
        ----------------------------------------------------------------------------
        ------------------------------------------
        _/_/_/_/ _/ _/ _/ _/ _/ _/_/_/_/
        _/ _/ _/_/ _/_/ _/ _/_/ _/ _/
        _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/
        _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
        _/_/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/_/
        Data Management & Information Navigation Systems
        ===========================================================
      Your message has been successfully submitted and would be delivered to recipients shortly.