Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
- From: David Zeuthen <david fubar dk>
- To: David Woodhouse <dwmw2 infradead org>
- Cc: "Sviatko, StephenX A" <stephenx a sviatko intel com>, "Rossi, Christopher" <christopher rossi intel com>, Stef Walter <stefw collabora co uk>, gnome-keyring-list gnome org
- Subject: Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
- Date: Fri, 29 Apr 2011 08:56:04 -0400
Hi,
On Fri, Apr 29, 2011 at 7:42 AM, David Woodhouse <dwmw2 infradead org> wrote:
> You *really* don't want to be teaching GOA how to connect to every
> different type of server, and get all the SSL and proxy and other stuff
> right.
Well, proxy and cert handling is in the core library stack now
(libgio-2.0), so GOA would make use of that.. but..
> I've just taken stock of the dozens of NTLM implementations we have in
> various places, for HTTP/IM/SMTP/IMAP/LDAP/etc authentication. Do you
> really want to learn how to make *all* those connections, and get it
> *right* in all cases? That way lies madness, I suspect.
Yeah, I suspect you are right. I was mostly thinking out loud. So we
should focus on just providing the information to connect to standard
protocols (such as IMAP and SMTP), not actually making the connection
on behalf of the client. That's a lot more sane, I think.
For GMail, their IMAP and SMTP servers supports OAuth already through
SASL so that's easily done since it's fine to share a short-lived
token. For Exchange, we could add D-Bus methods to do the NTLM dance
without sharing the actual password. We could also just share the
password.. I mean, it's all the same security context *anyway* and
there's little use in pretending that it's not.
Stupid question: doesn't Exchange have support like something like
OAuth so the users password isn't needed? I mean, we should be
designing for the future, not the past.
David
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
