Given my lack of progress on adding Kerberos support to NSS
(and hence to Mozilla's TLS implementation), I've started
looking at other solutions to the problem of using Kerberos
credentials to authenticate web sessions.
The kx509 code from the University of Michigan is looking
promising. It allows users to gain short lived X509
using their Kerberos credentials. These certficates are then
transparently used by the browser (via a custom PKCS#11)
module to authenticate to the server.
So far, I've hacked all of the umich specific stuff out of
and rejigged the build system so its better at dealing with
different environments. Its looking very promising though -
next step is to try to get some web applications to operate
with client certificates.