>The hope is that the proxy will read requests and validate them. Thus >passing through the proxy would be less dangerous that exposing port 88 >directly. If that’s not true, we should consider the risks of making >port 88 available, or give up.
I'm curious as to exactly what validation for requests you think the HTTP proxy is doing that the KDC is not. The only meaningful validation I can think of would require the proxy to handle all of the functions of the KDC itself (and honestly, I suspect the only validation that the proxy is doing is, "Looks like a valid HTTP request that doesn't have any of the common SQL injection attacks in the URL"). I mean, I've certainly been in the situation where we are required to do something dumb to satisfy a overly-broad security requirement, but I always try to acknowledge the dumbness. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos