Re: FYI: Plexus 2.1 is now available

Tony Sanders <sanders@bsdi.com>
Errors-To: sanders@bsdi.com
Message-id: <9305241522.AA17895@austin.BSDI.COM>
To: www-talk@nxoc01.cern.ch
Subject: Re: FYI: Plexus 2.1 is now available 
In-Reply-To: Your message of Mon, 24 May 93 11:14:40 BST.
Errors-To: sanders@bsdi.com
Reply-To: sanders@bsdi.com
Organization: Berkeley Software Design, Inc.
Date: Mon, 24 May 1993 10:22:02 -0500
From: Tony Sanders <sanders@bsdi.com>
> >     * 4) The browser detects the 402 error code and intiates a dialog
> >	 containing the information from the Cost: field and requests
> >	 the password which is used to authenticate the user in the
> > 	 servers Realm and get a ticket for the servers Instance.
> 
> A yes/no confirmation dialog is useful if there is a real cost, but the
> browser should never see the password.
> 
> 1) Kerberos should normally be invisible to users; there should be a
> TGT whenever the user is logged in.
Yes, for a single realm.  The problem is that with the Web you are reading
documents from all over (many possible realms).  Are you going to require
that the user kinit in a shell window for each document at a different
site (possibly having to exit the browser each time for line-mode browsers
with no job control)?

> 2) AFS kerberos uses a different password->key mapping, so you'd have a
> problem with AFS sites. (Problem #1; how do you tell apart sites using
> AFS Kerberos? We use AFS with MIT Kerberos).
It would have to be a different protocol  I chose kerberosIV-1 as the name
of this protocol, another might be kerberosAFS-1, there would also be
kerberosV-1 and maybe even kerberosIV-2.

> 3) It's bad policy for users to get into the habit of entering their
> passwords into programs other than passwd, kinit and login.
I cannot think of any other reasonable solution with the current
technology (and I'm not interested in rolling my own).

> we'd be happy to try a Kerberised client and server, as authenticated
> info serving is something of a wish here.
great

--sanders