Replacing bits of kx509 with Cosign

The current kx509 infrastructure doesn't work well in the web cafe case, which is a pain for mail.inf and Carwyn's submission system. As more of our users migrate to self-managed or DIY machines which may not have the required magic installed to use kx509, this will probably become more of a problem.

However, kx509 is good in that it really does single signon, it can be used for services which use TLS (such as openVPN), and it's easier to script than going through the cosign cookie dance. What we really need is a mixture.

My proposal is that

  • We run a cosign service that accepts authentication both through username and password (for the webcafe case) and kx509 credentials. In order to support credential forwarding, we'd also need to use kct.
  • Web applications which want to support users from non-DICE machines transition from using mod_auth_ssl to using mod_cosign. This should be relatively painless, as the means that application is presented to the underlying application is identical in both cases.

It would also be good to evaluate the use of HTTP-Negotiate authentication against cosign, as it may, in the long run, remove the need for kct.

-- SimonWilkinson - 07 Jun 2005

Topic revision: r1 - 07 Jun 2005 - 10:29:05 - SimonWilkinson
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies