Check out the kx509 form University of Michgan. http://www.citi.umich.edu/projects/kerb_pki/
It uses Kerberos to authenticate to a CA to get a short term certiifcate based on the lifetime of the Kerberos ticket. The certificate and key are then saved in the the ticket cache, and a browser plugin which uses PKCS#11 acceses the cache. Thus it uses SSL with certificates with no changes to the browser or server. "Stephen A. Cochran" wrote: > > I'm curious what other sites are doing for http authentication using > Kerberos. There have been various projects in the past, but none have been > the perfect solution (kerberos built into the browsers). > > We've been using Sidecar here at dartmouth, but are running into more and > more users who are behind firewalls or NAT, or unable to install the > kerberos software. > > There are various other solutions, the ones's I've found are listed below: > > - The proxy method: a web server that acts as the kerberos proxy and holds > the tickets, and then hands out cookies or certificates to the browsers > > - Sidecar: a seperate application on the client that listens for incoming > connections from the server to pass back the kerberos ticket. There are > some security concerns with this on mutli-user systems like Unix and Mac > OS X, no one has written a sidecar version that is save for multiuser > machines. > > - Project Minotaur: A CMU project that uses the plugin architecture of > MSIE and Netscape and java/javascript to handle the kerberos side of > authentication for the browser. > > <http://asg.web.cmu.edu/minotaur/index.html> > > - There seems to be a draft spec on using kerberos for SSL authentication, > but I haven't found any evidence that any of the software exists or is in > use. > > <http://www.ornl.gov/~jar/HowToKerb.html#Auth> > > Are there any other ideas in use out there that I haven't listed? We're > trying to figure out what we want to do as we go forward, and are looking > for what other institutions are using. > > Steve Cochran > Dartmouth College -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444