Re: Insecure WWW Access Authorization Protocol?"Peter Lister, Cranfield Computer Centre" <P.Lister@cranfield.ac.uk>
Date: Tue, 8 Mar 1994 16:14:28 --100
From: "Peter Lister, Cranfield Computer Centre" <P.Lister@cranfield.ac.uk>
To: Multiple recipients of list <firstname.lastname@example.org>
Subject: Re: Insecure WWW Access Authorization Protocol?
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
> Even though the following uses Kerberos for much of the discussion,
> the mapping of URLs to authentication identities is a generic issue
> which needs to be resolved for all authentication methods.
> The different protocols to which I refer are the authentication
> protocols--k4, pgp, k5, etc.--not the connection methods--ftp, gopher,
> http. I propose that the two together would, for Kerberos, be the
> principal's name, e.g., k5-gopher.bob.foo.com@FOO.COM,
> k4-http.bob.foo.com@FOO.COM. This would allow each connection method
> to determine the authentication protocol.
We know which authentication protocol we're using, the HTTP response sez
"WWW-Authenticate: KerberosV4". Adding "k4-" to a Kerberos principal name
doesn't tell anyone anything useful. It may confuse people into believing that
the principal only works with the "right" authentication protocol, which is
untrue - a Kerberos 5 speaking HTTP server can probably also understand
Kerberos 4, and should use a single principal for both. I really don't
understand why you want this.
BTW, I'm now lead to wonder what happens when a server is happy to accept any
one of multiple different authentication protocols, e.g. Kerberos and PGP?
Peter Lister Email: email@example.com
Computer Centre, Cranfield University Voice: +44 234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK Fax: +44 234 750875
--- Go stick your head in a pig. (R) Sirius Cybernetics Corporation ---