Re: FYI: Plexus 2.1 is now available

"Peter Lister, Cranfield Computer Centre" <ccprl@xdm001.ccc.cranfield.ac.uk>
Message-id: <9305241712.AA05975@xdm039>
To: www-talk@nxoc01.cern.ch
Cc: ccprl@xdm001.ccc.cranfield.ac.uk
Subject: Re: FYI: Plexus 2.1 is now available 
In-Reply-To: Your message of "Mon, 24 May 93 17:03:20 BST."
             <9305241603.AA02755@xdm001> 
Date: Mon, 24 May 93 18:12:14 BST
From: "Peter Lister, Cranfield Computer Centre" <ccprl@xdm001.ccc.cranfield.ac.uk>
> Yes, for a single realm.  The problem is that with the Web you are reading
> documents from all over (many possible realms).  Are you going to require
> that the user kinit in a shell window for each document at a different
> site (possibly having to exit the browser each time for line-mode browsers
> with no job control)?

I'm not "requiring" it, Kerberos is. How many Kerberos realms you are
known to? I'm known to only 2 (possibly 3). Cross realm authentication
doesn't work yet. I may indeed look at lots of docs at lots of sites
around the net, but I am not known to most of the Kerberi in the world,
and I am certainly not in any way privileged elsewhere in the world.
The reason I (and I suspect most people in the world) want
authenticated WWW is so that privileged folk at a site can read
confidential docs and lock the rest of the world out. When proper
cross-realm authentication is in widespread use, no-one will have to
enter passwords to get a foreign ticket anyway.

As to job control, line mode browsers start telnet happily enough, so
they can run kinit the same way.

> It would have to be a different protocol  I chose kerberosIV-1 as the name
> of this protocol, another might be kerberosAFS-1, there would also be
> kerberosV-1 and maybe even kerberosIV-2.

But it's NOT a different protocol!! AFS Kerberos is the same procotol
as MIT Kerberos. The only difference is in clients which translate
passwords to keys - kinit, kpasswd and login. It just confuses matters
to treat them differently. The easiest solution is a Kerberos client
which understands both, which is invisible to HTTP.

> I cannot think of any other reasonable solution with the current
> technology (and I'm not interested in rolling my own).

Neither can I. However, I'm trying to be realistic; after 3 years of
looking after a Kerberos authenticated system, I think I know it fairly
well. I don't think you can get round this problem. Any "roll your own"
solution is useless unless everyone ELSE has it!

I'd guess that browser writers don't want to put Kerberos functionality
into their software - far easier to just run kinit/klog or the local
X11 ticket manager/password changer. Tyro users see the interface that
they're used to, rather than a line mode "dialog box".

Kerberos functionality in plexus is great, but won't be used unless
there are Kerberos aware browsers, so let's not make life difficult for
browser writers by insisting they re-invent wheels. I'd prefer them to
devote their talents to making the Web look nicer.

Peter Lister                                    p.lister@cranfield.ac.uk
Computer Centre,
Cranfield Institute of Technology,        Voice: +44 234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK         Fax: +44 234 750875