Hello Charles, > I???d like to be able to use Kerberos SPNEGO at home. Unfortunately the Mac > uses Heimdal.
SPNEGO has really a low security level. I am surprised this is considered acceptable for a https proxy. We are working on two better solutions, with software that classifies only little over "proof of concept'. - TLS-KDH to integrate Kerberos authentication with ECDH encryption; this combination is in fact Quantum Proof https://datatracker.ietf.org/doc/html/draft-vanrein-tls-kdh - HTTP-SASL integrates SASL as a HTTP authentication mechanism, and this is meant to allow Kerberos as well. In contrast with SPNEGO, it would be possible to require Channel Binding (at least to the webserver _name_). https://datatracker.ietf.org/doc/html/draft-vanrein-httpauth-sasl Take note: These have not even been proposed on this list, simply due to lack of time to actively discuss it (been mostly occupied with this and related implementations). So at best this could be a future opportunity. Still, your usecase may help to propell the work forward, so please share if this would be helpful for your situation. You may want to pass this by your sysadmin too. Cheers, -Rick ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
