OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion


Title: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion

In my last email I described one reason why a password database check is not the same as using Kerberos, but (again) I don't think the various ways of authenticating with Kerberos and which is better needs to be discussed.

Tim.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: 13 April 2004 02:14
To: 'Polar Humenn'
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion

> Do you mean the "kerberos user" quite blatantly gives his kerberos name
> AND PASSWORD to the web server? And then the web server gets the TGT from
> the KDC AS service in the name of the kerberos user?

Sure, that's how the vast majority of web SSO systems work if the
authentication source is Kerberos. Obviously Kerberos is fairly incidental
in that environment; a password database is just as good (or bad).

Ideally that traffic is confined to a single trusted server that doesn't
host applications, just the weblogin process. In practice, people do
basic-auth over SSL to Kerberos all over, all the time.

-- Scott


To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]