From owner-freebsd-chat  Sat Dec  8  7:44:48 2001
Delivered-To: freebsd-chat@freebsd.org
Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93])
	by hub.freebsd.org (Postfix) with ESMTP id B545E37B416
	for <freebsd-chat@freebsd.org>; Sat,  8 Dec 2001 07:44:43 -0800 (PST)
Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] helo=dogma)
	by serenity.mcc.ac.uk with esmtp (Exim 2.05 #6)
	id 16Cjec-000Pa2-00; Sat, 8 Dec 2001 15:44:42 +0000
Received: (from jcm@localhost)
	by dogma (8.11.4/8.11.1) id fB8Fif261567;
	Sat, 8 Dec 2001 15:44:41 GMT
	(envelope-from jcm)
Date: Sat, 8 Dec 2001 15:44:41 +0000
From: j mckitrick <jcm@FreeBSD-uk.eu.org>
To: "Jason C. Wells" <jcwells@highperformance.net>
Cc: freebsd-chat@FreeBSD.ORG
Subject: Re: Can someone explain the Passport/Kerberos connection?
Message-ID: <20011208154441.A61548@dogma.freebsd-uk.eu.org>
References: <20011207161949.B48707@dogma.freebsd-uk.eu.org> <Pine.BSF.4.21.0112070845570.23467-100000@server.highperformance.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
In-Reply-To: <Pine.BSF.4.21.0112070845570.23467-100000@server.highperformance.net>; from jcwells@highperformance.net on Fri, Dec 07, 2001 at 08:53:41AM -0800
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-chat.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-chat>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-chat>
X-Loop: FreeBSD.org

On Fri, Dec 07, 2001 at 08:53:41AM -0800, Jason C. Wells wrote:
| On Fri, 7 Dec 2001, j mckitrick wrote:
| 
| > I have a basic understanding how Kerberos works, with tickets,
| > encryption, and authentication.  I guess my real question is how is this
| > implemented in http?  How does Passport use it to lock an identity to
| > one session on a browser somewhere?
| 
| Got a URL?  I am slowly working on my Kerberos knowledge these days.
| 
| I would venture that it is just like any other kerberized app except that
| it somehow supports the non-persistent http connection.  It might use the
| tickets to reauthenticate with each new GET or it might put an expiration
| time on a session.  One would be more secure.  The latter would use less
| overhead.

I don't have any specific URL for the info.  I've just gleaned the info
from various articles I've read.  If it is so critical that a browser
session be bound to a certain Passport identity for security reasons, it
seems to be something more than cookies would be called for.  Unless
cookies are more flexible and secure than I realize.



jm
-- 
My other computer is your windows box.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message