, November 29, 2001
On the browser side, KX.509 provides a single sign-on that produces both Kerberos and public key credentials -- junk keys -- which are used for SSL client authentication. A web server plugin records a transcript of the client handshake, which an external service translates back into Kerberos credentials. The effect is to delegate limited Kerberos credentials to a web server thread over an SSL connection, while avoiding the (potentially dangerous) practice of shipping live Kerberos tickets.
Performance measurements show that the overhead of credential translation is amortized effectively over a session.
Honeyman has been instrumental in several software projects, including Honey DanBer UUCP, PathAlias, MacNFS, Disconnected AFS, and Webcard. His research focus is on middleware, with an emphasis on security, distributed file systems, and mobile computing. He is the author of dozens of journal and conference papers and serves regularly on conference organizing committees. Honeyman is Treasurer of the USENIX Association, Co-Vice Chair of IFIP TC 8.8, and a member of AAAS and EFF.
Further Seminar Info: