[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Kerberos in Shibboleth?
Scott, Thanx for your comments on Kerberos. Since MSFT is actually tagetting SAML-scenarios with their "federated Passport", this is extremely important for the SAML TC to get more info on. >I'm less sanguine about the use of PKI than some, as it all strikes me >as very arbitrary why my web server should trust this other signer or >vice versa. But given a bunch of people willing to agree "here are the >rules we'll accept for signers and certificate verification", which is a >large part of what Club Shib is about, I don't have any concerns about >implementing it using PKI. I don't see any interoperability there >however. Please enlighten me. What kind of interoperability problems do you anticipate? - Is it that every Club Shib member will make their own certs holding arbitrary (Subject) definitions? - Or is it concerns regarding root key distribution? Using TTP-issued certficates like VeriSign's Web Server certficates you will limit interoperability problems considerably. A remaining problem with web server certificates is that they certify a DNS- name, while a DUNS number would actually be superior as it is independent of if the server has DNS "secure.acme.com" or "sec1.acme.com". I.e. a "farm" of security servers may serve a single legal entity, and in that case VeriSign's et al certificates breaks down. Particularly as "acme.com" may be used for a number of Acme-associated legal entities. Anders
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC