[Freeipa-users] Understanding role of the certificate in client - server communication.
Genadi Postrilko
genadipost at gmail.com
Fri Mar 28 14:49:10 UTC 2014
Thank you for the answer.
Is the communication between IPA Client and Server HTTPS based? not just
SSL over TCP?
So is Kerberos? Does it have to be over HTTP? or its purely over TCP/UDP?
2014-03-19 10:56 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
> On Wed, 19 Mar 2014, Genadi Postrilko wrote:
>
>> Thank you for the answer.
>> Sory if i lack the knowledge, but why SSL is needed when using kerberos?
>> Kerberos is based on 3th party that is trusted, why there is a need for
>> public key encryption?
>>
> Using Kerberos only, without asking for integrity and confidentiality
> services, without channel bindings to the outer encryption, is prone to
> MITM even with valid TLS channels.
>
> Use of certificates allows to perform mutual authentication at the SSL
> level and later perform channel bindings of the tunnelled Kerberos
> communication.
>
> Note that Kerberos over HTTP is weak without transport level security.
> HTTP authentication per se is independent of the transport.
>
> For more details you can look at Joe Orton's talk at ApacheCon'2008:
> http://www.apachecon.com/eu2008/program/materials/kerb-sso-http.pdf
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140328/9470621e/attachment.htm>
More information about the Freeipa-users
mailing list