[Cryptography] Toxic Combination

Abe Singer abe at oyvay.nu
Thu Dec 4 18:40:56 EST 2014

I'm' probably

On Thu, Dec 04, 2014 at 05:37:45PM +0000, alex at alten.org wrote:
> Quoting Peter Gutmann <pgut001 at cs.auckland.ac.nz>:
>> Ben Laurie <benl at google.com> writes:
>> Looking past all the excuses, there is one, and only one, reason why no
>> browser supports proper shared secret-based mutual auth: The browser vendors
>> don't want to do it.
> I agree with you, having designed and built symmetric key systems in the 
> past for intra-organization use.  These type of systems had a  
> centralized key management (and policy adjudication) server for maximum 
> automation of secure data/session key distribution, which is great for 
> things like real-time revocation.

> How would you propose going about doing it for a globally scalable system?

Uhm, ahem, er.... Kerberos, SPNEGO, Shibolleth?

So, I'm probably going to ignite an excrement-storm of flames here, but...

Kerboeros via SPNEGO is already supported in most if not all of the
popular browsers.  Keeps the password close to home.  Scales well for
some variables, and give single-sign-on capabilities

Shibboleth because in most places where one ends up authenticating to
a server, all the server really needs is authorization information.

So, authenticate to your chosen IDP, and get assertions that you can
hand off to any SP that recognizes your IDP.

There are details of course... but it might be easier than developing
an entirely new protocol that nobody yet supports.

More information about the cryptography mailing list