I brain-o'ed on privacy protection. I understand what you meant now. See what Greg and Russ have to say. But I'll add a piece here as well:
- HTTP is not a simple protocol: there are proxies and routers involved. - HTTP servers often act as routers. - There can be many hops. - A notional service might be composed of many sub-services. How to authenticated them to the user? - HTTP is NOT connection-oriented. Requests and responses go over the same pipe, but that's about as far as connections relate to requests. Clearly a single GSS security context token exchange per-connection isn't going to cut it, even with TLS and channel binding to it. Clearly a GSS security context token exchange per-request (!) is awful, though it is what actually happens in many cases. Several attempts have been made to address this. At the moment there seems to be no interest in actually implementing and standardizing any proposals other than Google's channel-bound cookie concept. I believe that to be a fine solution. I'll explain more later. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
