Re: FYI: Plexus 2.1 is now available

Tony Sanders (sanders@bsdi.com)
Mon, 24 May 1993 10:22:02 -0500


> > * 4) The browser detects the 402 error code and intiates a dialog
> > containing the information from the Cost: field and requests
> > the password which is used to authenticate the user in the
> > servers Realm and get a ticket for the servers Instance.
>
> A yes/no confirmation dialog is useful if there is a real cost, but the
> browser should never see the password.
>
> 1) Kerberos should normally be invisible to users; there should be a
> TGT whenever the user is logged in.
Yes, for a single realm. The problem is that with the Web you are reading
documents from all over (many possible realms). Are you going to require
that the user kinit in a shell window for each document at a different
site (possibly having to exit the browser each time for line-mode browsers
with no job control)?

> 2) AFS kerberos uses a different password->key mapping, so you'd have a
> problem with AFS sites. (Problem #1; how do you tell apart sites using
> AFS Kerberos? We use AFS with MIT Kerberos).
It would have to be a different protocol I chose kerberosIV-1 as the name
of this protocol, another might be kerberosAFS-1, there would also be
kerberosV-1 and maybe even kerberosIV-2.

> 3) It's bad policy for users to get into the habit of entering their
> passwords into programs other than passwd, kinit and login.
I cannot think of any other reasonable solution with the current
technology (and I'm not interested in rolling my own).

> we'd be happy to try a Kerberised client and server, as authenticated
> info serving is something of a wish here.
great

--sanders