Re: Insecure WWW Access Authorization Protocol?

"Peter Lister, Cranfield Computer Centre" <P.Lister@cranfield.ac.uk>

Mail folder: WWW Talk Jan 94-present
Next message: Wayne Allen: "Insecure WWW Access Authorization Protocol?"
Previous message: michael shiplett: "Re: Insecure WWW Access Authorization Protocol? "
Maybe in reply to: Peter Lister, Cranfield Computer Centre: "Re: Insecure WWW Access Authorization Protocol?"
Reply: Wayne Allen: "Insecure WWW Access Authorization Protocol?"

Errors-To: listmaster@www0.cern.ch
Date: Tue, 8 Mar 1994 16:14:28 --100
Message-id: <9403081507.AA04312@xdm039.ccc.cranfield.ac.uk>
Errors-To: listmaster@www0.cern.ch
Reply-To: P.Lister@cranfield.ac.uk
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: "Peter Lister, Cranfield Computer Centre" <P.Lister@cranfield.ac.uk>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Re: Insecure WWW Access Authorization Protocol?
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 1521

>   Even though the following uses Kerberos for much of the discussion,
> the mapping of URLs to authentication identities is a generic issue
> which needs to be resolved for all authentication methods.

Hear hear.

>   The different protocols to which I refer are the authentication
> protocols--k4, pgp, k5, etc.--not the connection methods--ftp, gopher,
> http. I propose that the two together would, for Kerberos, be the
> principal's name, e.g., k5-gopher.bob.foo.com@FOO.COM,
> k4-http.bob.foo.com@FOO.COM. This would allow each connection method
> to determine the authentication protocol.

We know which authentication protocol we're using, the HTTP response sez 
"WWW-Authenticate: KerberosV4". Adding "k4-" to a Kerberos principal name 
doesn't tell anyone anything useful. It may confuse people into believing that 
the principal only works with the "right" authentication protocol, which is 
untrue - a Kerberos 5 speaking HTTP server can probably also understand 
Kerberos 4, and should use a single principal for both. I really don't 
understand why you want this.

BTW, I'm now lead to wonder what happens when a server is happy to accept any 
one of multiple different authentication protocols, e.g. Kerberos[45] and PGP?

Peter Lister                             Email: p.lister@cranfield.ac.uk
Computer Centre, Cranfield University    Voice: +44 234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK        Fax: +44 234 750875
--- Go stick your head in a pig.  (R) Sirius Cybernetics Corporation ---