On Apr 9, 2008, at 11:20 AM, Jeff Siarto wrote: > Sentinel authentication already uses ssl when the user is prompted for > an MSU NetID and password. If the app is using the service correctly, > it should take them to login.msu.edu (which is secure), authenticate > them and then send them back to the application with the proper > credentials. All this is done securely and it shouldn't matter if the > application itself is hosted under ssl. As far as I know, after the > initial authentication no other personal data is sent via insecure > methods. Are my assumptions wrong? Sentinel uses MSU's Kerberos KDC (afsdb0.cl.msu.edu, run by ATS staff) as it's actual authentication mechanism. I'm assuming what Tom is referring to is a site that uses either native kerberos or pam_imap or some other hackery to use a person's NetID and password to authenticate them. In almost all likelihood, sentinel has nothing to do with this. This being the case, the password is *handled* by the 3rd party application, which is exactly what I'm recommending avoiding. ./mk -- Matt Kolb <[log in to unmask]> Academic Technology Services Michigan State University