Rick van Rein <r...@openfortress.nl> writes: > Thanks, the terminology has indeed been confusing to me. I suppose > things are as they are — or, as they have grown.
The short but less polite version is that HTTP-Negotiate with SPNEGO is a horrible hack from a Kerberos perspective. It sort of works as long as you know what to expect from it, but it's basically a half-assed one-sided authentication from the client to the server that doesn't behave like a real GSS-API authentication, doesn't give you mutual authentication or most of the other GSS-API guarantees, and cannot scale to other mechanisms or to sensible changes in how one wants the negotiation to work. Most of those problems are inherent in the way that it was plugged into HTTP and cannot easily be fixed. Since HTTP doesn't provide any easy way for an authentication mechanism to add channel encryption, any proper solution is probably stuck with channel binding and using TLS for confidentiality. But within that constraint, it's probably possible to do better by taking the authentication out of the HTTP headers into, say, a separate exchange with different HTTP protocol verbs or with designated URLs, resulting in some sort of authenticator with channel bindings that must be provided in all subsequent HTTP requests in that session. Nico has done some work on such a protocol. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
