[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion
Polar, Scott,
If you would like me to I can give you some references to real implementations that use this method, but I will do this offline because I think we are going off subject for this discussion.
There is no doubt that the many ways of using Kerberos in a web environment today are far from ideal and some are better than others. I would however say that using Kerberos in this wey (Kerberos client on web server) is more secure than a simple password check at the web server. Also, the password is not stored, so attacks on password are addressed because of TLS being used between browser and web server. The web server simply sends the AS-REQ and destroys the users password because it is no longer needed.
Anyway, I don't want to discuss the merits of the Kerberos implementations and which is better or more appropriate. There are better places to have such a discussion if needed. What we are discussing here is whether we represent this type of Kerberos authentication in a web environment with SAML as being done using Kerberos method - my vote is yes.
The reason why we should represent this use of Kerberos in the same way as any other is that we can clearly define 'using Kerberos in a web environment' as something like :
1. a user enters userid/password, token challenge, smart card, or some other information
2. The users information is used to obtain a tgt
3. The tgt is used to obtain a service ticket
4. The service ticket is presented to a service
5. The service decrypts the service ticket using a secret key and thus determines the principal name of the user
6. The principal name of the user is represented in the SAML assertion
So, you can see that this approach to using Kerberos can be represented by the above, just as well as any other. I see no reason to say that one method of using Kerberos is represented in an assertion and another is not. If you disagree please convince me why we should differentiate ?
Thanks,
Tim.
-----Original Message-----
From: Polar Humenn [mailto:polar@syr.edu]
Sent: 13 April 2004 02:18
To: Scott Cantor
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion
My first reaction is, "You've got to be kidding me!",
then sadly, or more frightenly, you wouldn't be.
I'll agree with you. I wouldn't call that Kerberos. My god.
Sometimes, I just wonder what other abominations .....
Gezzzz,
-Polar
On Mon, 12 Apr 2004, Scott Cantor wrote:
> > Do you mean the "kerberos user" quite blatantly gives his kerberos name
> > AND PASSWORD to the web server? And then the web server gets the TGT from
> > the KDC AS service in the name of the kerberos user?
>
> Sure, that's how the vast majority of web SSO systems work if the
> authentication source is Kerberos. Obviously Kerberos is fairly incidental
> in that environment; a password database is just as good (or bad).
>
> Ideally that traffic is confined to a single trusted server that doesn't
> host applications, just the weblogin process. In practice, people do
> basic-auth over SSL to Kerberos all over, all the time.
>
> -- Scott
>
To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]