OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifierand Kerberos authentica tion

My first reaction is, "You've got to be kidding me!",
then sadly, or more frightenly, you wouldn't be.

I'll agree with you.  I wouldn't call that Kerberos. My god.

Sometimes, I just wonder what other abominations .....


On Mon, 12 Apr 2004, Scott Cantor wrote:

> > Do you mean the "kerberos user" quite blatantly gives his kerberos name
> > AND PASSWORD to the web server? And then the web server gets the TGT from
> > the KDC AS service in the name of the kerberos user?
> Sure, that's how the vast majority of web SSO systems work if the
> authentication source is Kerberos. Obviously Kerberos is fairly incidental
> in that environment; a password database is just as good (or bad).
> Ideally that traffic is confined to a single trusted server that doesn't
> host applications, just the weblogin process. In practice, people do
> basic-auth over SSL to Kerberos all over, all the time.
> -- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]