- From: Mike Spreitzer <spreitze@parc.xerox.com>
- Date: Tue, 2 Nov 1999 13:52:09 PST
- To: IETF HTTP WG <http-wg@hplb.hpl.hp.com>
It seems to me that it would be good to have an IETF standard on how to do Kerberos-based authentication and authorization in HTTP. By the authorization part I mean the ability to pass proxy tickets, including forwarded and/or forwardable TGTs. RFC 2712 (Kerberos in TLS) clearly addresses the authentication part, but, because TLS doesn't address authorization, does not clearly address the authorization part. However, a possible approach would be to use RFC 1964's technique of putting forwarded tickets in the Authenticator (RFC 2712 *does* pass an Authenticator). A possible drawback of this approach is that some server-side products (e.g., Java Servelet engines) may not pass as many TLS details as they should. Kerberos is well known in UNIX-land, and is coming in Windows 2000. In fact, Microsoft already has a way of doing both authentication and authorization based on Kerberos. An informed source tells me their technique, while not publicly documented, is based on IETF standards (e.g., RFC 1964). A plausible and happy scenario would be for them to submit their technique, and a consensus formed around it. Does this make sense to you? Where should such an effort be homed? Larry assures me the HTTP-WG is shutting down and won't take any new work. I don't have any strong opinion on the matter. Thanks, Mike Spreitzer <spreitze@parc.xerox.com> http://parcweb.parc/spreitze/ (Xerox internal) http://www.parc.xerox.com/spreitze/ (external) +1-650-812-4833
Received on Tuesday, 2 November 1999 13:56:42 UTC