Re: Insecure WWW Access Authorization Protocol?

"Peter Lister, Cranfield Computer Centre" <>
Date: Tue, 8 Mar 1994 16:14:28 --100
Message-id: <>
Precedence: bulk
From: "Peter Lister, Cranfield Computer Centre" <>
To: Multiple recipients of list <>
Subject: Re: Insecure WWW Access Authorization Protocol?
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 1521
>   Even though the following uses Kerberos for much of the discussion,
> the mapping of URLs to authentication identities is a generic issue
> which needs to be resolved for all authentication methods.

Hear hear.

>   The different protocols to which I refer are the authentication
> protocols--k4, pgp, k5, etc.--not the connection methods--ftp, gopher,
> http. I propose that the two together would, for Kerberos, be the
> principal's name, e.g.,,
> This would allow each connection method
> to determine the authentication protocol.

We know which authentication protocol we're using, the HTTP response sez 
"WWW-Authenticate: KerberosV4". Adding "k4-" to a Kerberos principal name 
doesn't tell anyone anything useful. It may confuse people into believing that 
the principal only works with the "right" authentication protocol, which is 
untrue - a Kerberos 5 speaking HTTP server can probably also understand 
Kerberos 4, and should use a single principal for both. I really don't 
understand why you want this.

BTW, I'm now lead to wonder what happens when a server is happy to accept any 
one of multiple different authentication protocols, e.g. Kerberos[45] and PGP?

Peter Lister                             Email:
Computer Centre, Cranfield University    Voice: +44 234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK        Fax: +44 234 750875
--- Go stick your head in a pig.  (R) Sirius Cybernetics Corporation ---