Could you elaborate on how this would break the HTTP spec? I was
under the (admittedly naive) impression that more or less any
challenge-response authentication mechanism could be implemented in
HTTP via the HTTP 401 error code. So presumably I would think that
GSS context tokens could be exchanged through this mechanism. (E.g.,
client sends a request with an initial context token, server returns
an HTTP 401 with a continuation token, client resends request with
context completion token, and perhaps subsequent requests contain
some context identifier)
This approach may not be standard, but a standard authentication
mechanism could theoretically be proposed. I don't see how it breaks
HTTP, but I'm not an HTTP expert.
Thanks,
Fred
On Jul 11, 2005, at 12:59 PM, Wyllys Ingersoll wrote:
Mutual authentication is not supported correctly because it is not
possible
to do so without violating the HTTP spec.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
