Hi Paul and Carl,
Apropos - in the SNMPv3 WG they are now moving
forward an alternate standard security model
(instead of RFC 2574) - Kerberos 5.
Cheers,
- Ira McDonald
PS - If your HTTP layer is doing Kerberos or other
magic that provides strong security and integrity
then sending a meaningful user name in the
"requesting-user-name" attribute becomes suitable
in some applications (as opposed to looking for
the ephemeral 'most authenticated user name').
-----Original Message-----
From: pmoore at peerless.com [mailto:pmoore at peerless.com]
Sent: Tuesday, August 15, 2000 11:27 AM
To: Carl Kugler/Boulder/IBM
Cc: pmoore at peerless.com; Peter.Zehler at usa.xerox.com; ipp at pwg.org
Subject: Re: IPP> TES - Bake-Off Phone conference
Correct - there is no standard for Kerberizing HTTP. MS have added a new
authentiation scheme that triggers a GSSAPI/SPNEGO interaction. This does
either
Kerberos or NTLM depending on whether or not the client is capable of
Kerberos.
Throw in a bit of Base64 encoding and you're done.
"Carl Kugler/Boulder/IBM" <kugler at us.ibm.com> on 08/15/2000 11:13:10 AM
To: pmoore at peerless.com
cc: Peter.Zehler at usa.xerox.com, ipp at pwg.org (bcc: Paul Moore/AUCO/US)
Subject: Re: IPP> TES - Bake-Off Phone conference
Hmm... I wasn't aware of a standard for Kerberos HTTP authentication,
either, although there has been some recent discussion on the http-wg list
about "ticket based authentication" (see
http://www.ics.uci.edu/pub/ietf/http/hypermail/2000/0165.html). How does
W2K implement this?
-Carl
pmoore at peerless.com on 08/15/2000 11:41:16 AM
To: Carl Kugler/Boulder/IBM at IBMUS
cc: Peter.Zehler at usa.xerox.com, ipp at pwg.org
Subject: Re: IPP> TES - Bake-Off Phone conference
IE5 on Windows 2000, and hence the MS IPP client on Windows 2000, does
Kerberos
authentication. IPP just rides on the back of whatever HTTP authentication
happens to be available.
"Carl Kugler/Boulder/IBM" <kugler at us.ibm.com> on 08/15/2000 09:27:36 AM
To: Peter.Zehler at usa.xerox.com
cc: ipp at pwg.org (bcc: Paul Moore/AUCO/US)
Subject: Re: IPP> TES - Bake-Off Phone conference
> 1) A quick walk through the Bake-Off testing outline. The objective is to
> get some input on specific areas of testing.
> The document is located at
> "ftp://www.pwg.org/pub/pwg/ipp/new_TES/IPP-Test-Plan-000814.pdf".
Peter-
I see Kerberos listed under Authentication and Security. I didn't know IPP
had Kerberos authentication. I'm interested in finding out more about
this. Kerberos has a lot of advantages in a distributed environment, e.g.,
single sign on and centralized administration.
-Carl