Re: Please review: http gss authentication mech
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Please review: http gss authentication mech
I don't speak for kitten and I'm not familiar with the TLS channel binding
thing but the only flaw in the Negotiate method that really that really
jumps out is the conflict between stateful GSSAPI and stateless HTTP. How
does your method address this issue?
For example consider a client that pipelines 10 requests. The server
response to the first and the client submits another token. How will
you distinguish secondary or teriary tokens from one another?
What happends if the 5th request in a pipeline fails GSS?
What happends if the 5th request in a pipeline sends connection: close?
These are the sort of things that cause problems with mechanisms that
require more than one exchange (e.g. I suspect this is a source of
mysterious NTLM failures reported occasionally).
Mike
On Thu, 09 Nov 2006 20:23:46 +0100
Leif Johansson <leifj at it.su.se> wrote:
> http://www.ietf.org/internet-drafts/draft-johansson-http-gss-00.txt
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
