- From: Adrien de Croy <adrien@qbik.com>
- Date: Thu, 01 Mar 2012 13:55:45 +1300
- To: Amos Jeffries <squid3@treenet.co.nz>
- CC: ietf-http-wg@w3.org
On 1/03/2012 1:46 p.m., Amos Jeffries wrote: > On 01.03.2012 13:13, Adrien de Croy wrote: >> NTLM could be made non-connection-oriented if http auth had some sort >> of context attribute that identified the auth conversation (in both >> challenges and responses), instead of having to associate it with the >> connection. > > No. That just makes HTTP connection-oriented at the abstract level of > channels. No change to NTLM. I disagree. NTLM works even over UDP. It's just 3 messages. There's nothing tying it to a TCP connection inside the NTLM protocol. Sure it's a couple more messages than simple challenge response. Normally ends in 3 requests and 2 challenges. But it could be decoupled from the TCP connection. Subsequent request would just need to be able to remind the server which auth conversation they relate to - e.g. sending back a token (nonce). This token could then even be timed out by the server. All the server needs to do to poke the next token into the SSPI is resolve the auth context. A simple map of auth-conversation-token to SSPI token would take care of that. Even allow for things like impersonation of client if done properly. These could conceivably be replayed though, but doesn't Digest suffer from that? > > NTLM would also require dropping the second-stage token exchange > through the channel its authenticating. Which is effectively Kerberos, > and also a reason behind Kerberos being preferred for implementation > instead of NTLM across the WAN. NTLM is nothing like Kerberos in terms of crypto etc. Sure, Kerberos has many advantages. For instance in SOCKS auth, you can do a kerberos auth with 1 message from the client. That I presume is because the ticket is obtained out of band. Adrien > > AYJ > > -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com WinGate 7 is released! - http://www.wingate.com/getlatest/
Received on Thursday, 1 March 2012 00:56:22 UTC