[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentica tion
> In my last email I described one reason why a password > database check is not the same as using Kerberos, but (again) > I don't think the various ways of authenticating with > Kerberos and which is better needs to be discussed. This is basically the point though. Obviously you disagree, which is fine, but for me, the issue is precisely how the *client* authenticates, not how the web server that is colocated with the authentication authority authenticates. As a relying party, there's a difference between a client getting a TGT and never exposing the password to the network, and using TLS to ship it up the server. Using a single authentication method for both is essentially (for me) rendering it meaningless, since I may very well consider one acceptable and the other not acceptable. Of course, if authn context can distinguish this, that's fine too, there's no need to deal with it in the legacy methods. All that said, I'm not making Polar's argument. I'm a realist, and we do the password over TLS approach every day on the order of 30,000-60,000 times on the web and many million times for email checks (and that's cleartext!) . I'm not discussing whether it's good, bad, or indifferent (that's irrelevant), just that it's not IMHO Kerberos in any useful sense. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]