Re: Negotiating Web Browsers List (additions appreciated)

On 11/15/05, curby . <curby.public <at> gmail.com> wrote:
> My knowledge of Kerberos is patchy at best, but here's a more detailed
> explanation at my original concern.  I believe that it is possible to
> set your credentials to be forwardable, so a service to which you give
> your credentials can use them on your behalf and in your name.  If
> SPNEGO allows this sort of behavior, and your tickets are forwardable,
> any SPNEGO-speaking web server might grab your credentials.

On further reflection and discussion with others, this is possibly a
non-issue, depending solely on the implementations of SPNEGO by
Microsoft and Apple.  I include Microsoft because it is not clear in
IE what exactly the browser is doing with the Kerberos tickets
involved.  Consider:

In the mozilla family of browsers there are two SPNEGO-related
configuration options:

network.negotiate-auth.trusted-uris
network.negotiate-auth.delegation-uris

From the site http://www.mozilla.org/projects/netlib/integrated-auth.html

"network.negotiate-auth.trusted-uris lists the sites that are
permitted to engage in SPNEGO authentication with the browser, and
network.negotiate-auth.delegation-uris lists the sites for which the
browser may delegate user authorization to the server."

In other words, you could trust your entire intranet's servers with
SPNEGO and as long as you do not delegate, your TGT will not be sent
to the server.  The most that a compromised server could work with is
the service ticket for itself.  This means that risk is greatly
reduced.

In the case of Safari, if the browser is willing to send the TGT (in
other words delegate user authz) to any server, this introduces
undesirable implicit trust.  If it doesn't send the TGT, then the
inability to list trusted servers explicitly is unfortunate but not
horrendous.

Similarly, if IE would only negotiate but not delegate, one might
trust an entire intranet (*.example.com) and not be too worried.  If
it does indeed delegate automatically, it is important to restrict the
servers with which IE engages in SPNEGO.

Does anyone know for sure what these platform-specific browsers do?  Thanks. =)

--Curby

-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click