On Tue, Aug 23, 2016 at 10:24 AM, Rick van Rein <r...@openfortress.nl> wrote: > HTTP/Negotiate is indeed so sad that we've been working on an > alternative, that is to integrate Kerberos + Diffie-Hellman into TLS. > Then, once you get TLS going for your HTTPS, you would have established > mutual trust and perfect forward secrecy.
Hi Rick, Using the Kerberos ticket as the certificate on which to build TLS without using a CA and all of the work that goes with it seems much cleaner. I'm glad to see people working on this. But it would be even better if the client could (or had the option to) do authentication with the service directly and thus eliminate the numerous dependencies for clients (DNS, KDC access, stale tickets, time sync...). I'm not sure if that is possible with HTTP being stateless, but if is, it could be the basis for proper Internet website security as well. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
