[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Client authentication with Kerberos ticket

From: Steinar Bang <sb_at_dod.no>
Date: 2006-12-21 10:04:17 CET

>>>>> "D.J. Heap" <djheap@gmail.com>:

> On 12/20/06, Yves Martin <yves.martin@elca.ch> wrote:
>> BUT the GSSAPI/Negotiate is only tried with SSL ?
>> Why ? Is GSSAPI over http less secure than Basic over http ?

> I'm not an auth expert, but my understanding is that they are not
> really secure over http.

Kerb authentication using HTTP Negotiate over plain HTTP, is as secure
as kerb itself is, which is pretty secure. Authentication will be
secure. The traffic itself won't be secure, ie. the payload will go
in the clear.

Perhaps the reasoning is that when people wish to use a secure
authentication method, they wish the entire traffic to be secure and
should not be fooled to use an open transfer? (not a reasoning I would
have made, but there you go) Or perhaps it is an artifact of the
implementation? Ie. it was easier this way?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Dec 21 10:05:05 2006

This is an archived mail posted to the Subversion Users mailing list.