shibboleth-dev - RE: [Fwd: A Case for Shibboleth and PKI]
Subject: Shibboleth Developers
List archive
- From: Scott Cantor <>
- To: 'Klaas Wierenga' <>
- Cc: "'David L. Wasley'" <>, 'Bart Kerver' <>,
- Subject: RE: [Fwd: A Case for Shibboleth and PKI]
- Date: Thu, 06 May 2004 17:35:50 -0400
- Organization: The Ohio State University
> *Potentially* yes, but with the EAP-types I mentioned (TLS, TTLS and
> PEAP) the user's password is only visible to the home authentication
> server. With beforementioned types a secure tunnel is set up between the
> client and the home authentication server, no intermediary server can
> see the credentials.
Ok, didn't understand that. So in the TLS case, you're doing the CONNECT
trick that lets HTTP proxies handle SSL without getting in the middle?
> fair enough, security *always* is a trade-off. But in this case, you're
> only forced to give your password to your own institution.
Yes, that's fine.
> Hope this clarifies things.
Enormously, yes.
-- Scott
- RE: [Fwd: A Case for Shibboleth and PKI], Scott Cantor, 05/06/2004
- <Possible follow-up(s)>
- FW: [Fwd: A Case for Shibboleth and PKI], Scott Cantor, 05/06/2004
- RE: [Fwd: A Case for Shibboleth and PKI], Scott Cantor, 05/06/2004
Archive powered by MHonArc 2.6.16.