IPP Mail Archive: RE: IPP> TES - Bake-Off Phone conference

RE: IPP> TES - Bake-Off Phone conference

From: McDonald, Ira (imcdonald@sharplabs.com)
Date: Tue Aug 15 2000 - 21:31:41 EDT

  • Next message: McDonald, Ira: "RE: IPP>NOT mailto feature from IETF meeting (RE: IPP> ADM - The IPP Notification I-Ds will now go the IESG)"

    Hi Paul and Carl,

    Apropos - in the SNMPv3 WG they are now moving
    forward an alternate standard security model
    (instead of RFC 2574) - Kerberos 5.

    Cheers,
    - Ira McDonald

    PS - If your HTTP layer is doing Kerberos or other
    magic that provides strong security and integrity
    then sending a meaningful user name in the
    "requesting-user-name" attribute becomes suitable
    in some applications (as opposed to looking for
    the ephemeral 'most authenticated user name').

    -----Original Message-----
    From: pmoore@peerless.com [mailto:pmoore@peerless.com]
    Sent: Tuesday, August 15, 2000 11:27 AM
    To: Carl Kugler/Boulder/IBM
    Cc: pmoore@peerless.com; Peter.Zehler@usa.xerox.com; ipp@pwg.org
    Subject: Re: IPP> TES - Bake-Off Phone conference

    Correct - there is no standard for Kerberizing HTTP. MS have added a new
    authentiation scheme that triggers a GSSAPI/SPNEGO interaction. This does
    either
    Kerberos or NTLM depending on whether or not the client is capable of
    Kerberos.
    Throw in a bit of Base64 encoding and you're done.

    "Carl Kugler/Boulder/IBM" <kugler@us.ibm.com> on 08/15/2000 11:13:10 AM

    To: pmoore@peerless.com
    cc: Peter.Zehler@usa.xerox.com, ipp@pwg.org (bcc: Paul Moore/AUCO/US)

    Subject: Re: IPP> TES - Bake-Off Phone conference

    Hmm... I wasn't aware of a standard for Kerberos HTTP authentication,
    either, although there has been some recent discussion on the http-wg list
    about "ticket based authentication" (see
    http://www.ics.uci.edu/pub/ietf/http/hypermail/2000/0165.html). How does
    W2K implement this?

         -Carl

    pmoore@peerless.com on 08/15/2000 11:41:16 AM

    To: Carl Kugler/Boulder/IBM@IBMUS
    cc: Peter.Zehler@usa.xerox.com, ipp@pwg.org
    Subject: Re: IPP> TES - Bake-Off Phone conference

    IE5 on Windows 2000, and hence the MS IPP client on Windows 2000, does
    Kerberos
    authentication. IPP just rides on the back of whatever HTTP authentication
    happens to be available.

    "Carl Kugler/Boulder/IBM" <kugler@us.ibm.com> on 08/15/2000 09:27:36 AM

    To: Peter.Zehler@usa.xerox.com
    cc: ipp@pwg.org (bcc: Paul Moore/AUCO/US)

    Subject: Re: IPP> TES - Bake-Off Phone conference

    > 1) A quick walk through the Bake-Off testing outline. The objective is to
    > get some input on specific areas of testing.
    > The document is located at
    > "ftp://www.pwg.org/pub/pwg/ipp/new_TES/IPP-Test-Plan-000814.pdf".

    Peter-

    I see Kerberos listed under Authentication and Security. I didn't know IPP
    had Kerberos authentication. I'm interested in finding out more about
    this. Kerberos has a lot of advantages in a distributed environment, e.g.,
    single sign on and centralized administration.

         -Carl



    This archive was generated by hypermail 2b29 : Tue Aug 15 2000 - 21:57:12 EDT