W3C home > Mailing lists > Public > public-webcrypto@w3.org > November 2012

Re: Adding Kerberos use-case

From: Mountie Lee <mountie.lee@mw2.or.kr>
Date: Fri, 9 Nov 2012 10:20:05 +0900
Message-ID: <CAE-+aYKTuev5kqH0wA-UnubYtXp17hHu_YBXbaKGzmk15bWcJg@mail.gmail.com>
To: Thomas Hardjono <hardjono@mit.edu>
Cc: Ryan Sleevi <sleevi@google.com>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Kerberos is used normally in private/closed network.
AD joined network is one of the examples of private network.

what can we do with kerberos feature implemented in browser level under
open network?

On Fri, Nov 9, 2012 at 1:36 AM, Thomas Hardjono <hardjono@mit.edu> wrote:

>
> > From: mountie@paygate.net [mailto:mountie@paygate.net] On Behalf Of
> > Mountie Lee
> > Sent: Tuesday, November 06, 2012 7:54 PM
> > To: Ryan Sleevi
> > Cc: Thomas Hardjono; Harry Halpin; David Dahl; arun@mozilla.com;
> > public-webcrypto@w3.org
> > Subject: Re: Adding Kerberos use-case
> >
> > kerberos depends on that the time is correct in client and server
> > both.
> > my concern is
> > any vulnerabilities can be exposed because of different time between
> > browser and server.
> >
> > regards
> > Mountie
>
> Hi Mountie,
>
> There is a parameter in the admin config to set the
> tolerable skew time between the client and server.
> Having short life-time tickets minimizes the chances
> of successful replay attacks.
>
> FYI Kerberos is used in over 60% of medium-large Enterprises,
> due largely to Microsoft Windows (starting in Win2K onwards)
> and Active Directory. The MIT code base is used in many
> Enterprises for back-end server authentication.
>
> So Kerberos is a well understood and well-deployed protocol
> (been around over 25 years).
>
> Thanks.
>
> /thomas/
>
>
>
>
>
>
>
>
>
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World
Received on Friday, 9 November 2012 01:20:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:14 UTC