W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1999

Standardize Kerberos authentication and authorization in HTTP?

From: Mike Spreitzer <spreitze@parc.xerox.com>
Date: Tue, 2 Nov 1999 13:52:09 PST
To: "IETF HTTP WG" <http-wg@hplb.hpl.hp.com>
Message-ID: <003701bf257c$82df7c00$27d1000d@deimos.parc.xerox.com>
It seems to me that it would be good to have an IETF standard on how to do
Kerberos-based authentication and authorization in HTTP.  By the
authorization part I mean the ability to pass proxy tickets, including
forwarded and/or forwardable TGTs.  RFC 2712 (Kerberos in TLS) clearly
addresses the authentication part, but, because TLS doesn't address
authorization, does not clearly address the authorization part.  However, a
possible approach would be to use RFC 1964's technique of putting forwarded
tickets in the Authenticator (RFC 2712 *does* pass an Authenticator).  A
possible drawback of this approach is that some server-side products (e.g.,
Java Servelet engines) may not pass as many TLS details as they should.

Kerberos is well known in UNIX-land, and is coming in Windows 2000.  In
fact, Microsoft already has a way of doing both authentication and
authorization based on Kerberos.  An informed source tells me their
technique, while not publicly documented, is based on IETF standards (e.g.,
RFC 1964).  A plausible and happy scenario would be for them to submit
their technique, and a consensus formed around it.

Does this make sense to you?

Where should such an effort be homed?  Larry assures me the HTTP-WG is
shutting down and won't take any new work.  I don't have any strong opinion
on the matter.

Thanks,
Mike Spreitzer <spreitze@parc.xerox.com>
http://parcweb.parc/spreitze/ (Xerox internal)
http://www.parc.xerox.com/spreitze/ (external)
+1-650-812-4833
Received on Tuesday, 2 November 1999 21:52:58 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:34 EDT