Standardize Kerberos authentication and authorization in HTTP?

It seems to me that it would be good to have an IETF standard on how to do
Kerberos-based authentication and authorization in HTTP.  By the
authorization part I mean the ability to pass proxy tickets, including
forwarded and/or forwardable TGTs.  RFC 2712 (Kerberos in TLS) clearly
addresses the authentication part, but, because TLS doesn't address
authorization, does not clearly address the authorization part.  However, a
possible approach would be to use RFC 1964's technique of putting forwarded
tickets in the Authenticator (RFC 2712 *does* pass an Authenticator).  A
possible drawback of this approach is that some server-side products (e.g.,
Java Servelet engines) may not pass as many TLS details as they should.

Kerberos is well known in UNIX-land, and is coming in Windows 2000.  In
fact, Microsoft already has a way of doing both authentication and
authorization based on Kerberos.  An informed source tells me their
technique, while not publicly documented, is based on IETF standards (e.g.,
RFC 1964).  A plausible and happy scenario would be for them to submit
their technique, and a consensus formed around it.

Does this make sense to you?

Where should such an effort be homed?  Larry assures me the HTTP-WG is
shutting down and won't take any new work.  I don't have any strong opinion
on the matter.

Mike Spreitzer <>
http://parcweb.parc/spreitze/ (Xerox internal) (external)

Received on Tuesday, 2 November 1999 13:56:42 UTC