Kerbweb
What does Kerberos have to do with mash-ups? The simple answer is that any authentication protocol is in a sense a mash-up. In the simplest case a web application is mashing its functionality with an identity assertion provided by some other web application.
While Kerberos is very widely deployed within enterprises, it is not often used for web authentication. However, this might be about to change. The MIT Web Consortium is channeling new energies into Kerberos in general. In this paper entitled “Towards Kerberizing Web Identity and Services” by Jeff Hodges, Josh Howlett, Leif Johansson and RL "Bob" Morgan, the authors lay out the problem in a very comprehensive fashion. We would recommend the paper, and its wealth of references, as simply as a primer on identity management in general even if you are not particularly interested in Kerberizing the web.
Of specific interest to us is:
- Their conclusion that “A Kerberos-based authentication mechanism for REST-based web services is also urgently needed.”
- Mitigating the concerns they raise about “…the problems inherent in using Kerberos at the application layer within HTTP”.
- Their highest priority opportunity: “Specify the use of Kerberos with TLS”.
We believe MashSSL can help in a big way with each of these. We have built a simple gateway server that on the one hand consumes Kerberos credentials (using the SPNEGO protocol built into most browsers) and on the other hand uses MashSSL to communicate the authenticity of the user.