Re: Insecure WWW Access Authorization Protocol?

Peter Lister, Cranfield Computer Centre (P.Lister@cranfield.ac.uk)
Tue, 8 Mar 1994 16:14:28 --100


> Even though the following uses Kerberos for much of the discussion,
> the mapping of URLs to authentication identities is a generic issue
> which needs to be resolved for all authentication methods.

Hear hear.

> The different protocols to which I refer are the authentication
> protocols--k4, pgp, k5, etc.--not the connection methods--ftp, gopher,
> http. I propose that the two together would, for Kerberos, be the
> principal's name, e.g., k5-gopher.bob.foo.com@FOO.COM,
> k4-http.bob.foo.com@FOO.COM. This would allow each connection method
> to determine the authentication protocol.

We know which authentication protocol we're using, the HTTP response sez
"WWW-Authenticate: KerberosV4". Adding "k4-" to a Kerberos principal name
doesn't tell anyone anything useful. It may confuse people into believing that
the principal only works with the "right" authentication protocol, which is
untrue - a Kerberos 5 speaking HTTP server can probably also understand
Kerberos 4, and should use a single principal for both. I really don't
understand why you want this.

BTW, I'm now lead to wonder what happens when a server is happy to accept any
one of multiple different authentication protocols, e.g. Kerberos[45] and PGP?

Peter Lister Email: p.lister@cranfield.ac.uk
Computer Centre, Cranfield University Voice: +44 234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK Fax: +44 234 750875
--- Go stick your head in a pig. (R) Sirius Cybernetics Corporation ---