I brain-o'ed on privacy protection. I understand what you meant now.
See what Greg and Russ have to say. But I'll add a piece here as
well:
- HTTP is not a simple protocol: there are proxies and routers involved.
- HTTP servers often act as routers.
- There can be many hops.
- A notional
Rick van Rein writes:
> Thanks, the terminology has indeed been confusing to me. I suppose
> things are as they are — or, as they have grown.
The short but less polite version is that HTTP-Negotiate with SPNEGO is a
horrible hack from a Kerberos perspective. It sort of works as long as
you kno
Hi Greg,
Thanks, the terminology has indeed been confusing to me.
I suppose things are as they are — or, as they have grown.
Thanks,
-Rick
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On 02/06/2014 08:42 AM, Rick van Rein wrote:
> In my RFC 4599 it says "The initial WWW-Authenticate header will not carry
> any gssapi-data.” and I was wondering if I missed some cryptographic reason
> to delay the challenge until later.
Some terminology clarification is in order:
* SPNEGO (RFC
Hi Nico,
Thanks for your extensive response!
> GSS-API exchanges always begin with an initial security context token.
> SPNEGO can carry an initial security context token for an
> optimistically selected mechanism.
In my RFC 4599 it says "The initial WWW-Authenticate header will not carry any
g
On Tue, Feb 4, 2014 at 5:58 AM, Rick van Rein wrote:
> Hello Greg,
>
>> What are you looking at specifically? GSSAPI exchanges begin with the
>> client.
>
> I thought you might say that. I was looking at SPNEGO, which embeds GSSAPI
> but where the initiative is (usually) taken by the server. I
Hello Greg,
> What are you looking at specifically? GSSAPI exchanges begin with the
> client.
I thought you might say that. I was looking at SPNEGO, which embeds GSSAPI but
where the initiative is (usually) taken by the server. It’s a waste that
SPNEGO doesn’t communicate a challenge at that
On 02/03/2014 09:41 AM, Rick van Rein wrote:
> Looking at SPNEGO (and probably other protocols as well) I see that the
> server can take the initiative for an GSSAPI exchange, and when doing so, it
> could already challenge the client.
What are you looking at specifically? GSSAPI exchanges begi
Hello,
GSSAPI-based protocols have an option of challenging a client with a counter
value. This is done after the client submits a ticket.
Looking at SPNEGO (and probably other protocols as well) I see that the server
can take the initiative for an GSSAPI exchange, and when doing so, it could
