[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mod_auth_kerb and Heimdal KDC

On Thu, Aug 22, 2002 at 10:12:28AM -0400, Ken Hornstein wrote:
> >Just a remark to SSL:
> >The Microsoft draft (which the Mozilla+Apache patches are based on) specifies
> >only mechanims for authentication. Some another method (e.g. SSL) must be used 
> >to ensure integrity control of transmitted HTTP messages. Otherwise, a
> >malicious user would be able to copy an Authorization header (comming from a
> >valid user) and past it to another message.
> I sure hope your Kerberos implementation includes a replay cache ... if it
> does, then this can't happen.

To quote from Heimdal's TODO:
"the replay cache is, in its current state, not very useful"

Perhaps someone more familiar with the Heimdal code will give more
information. Moreover, in general I think that some integrity control
mechanism is appropriate for transmission of authenticated information.