RE: [security-services] Drafts for review: Kerberos & SAML profiles

["Scott Cantor" <cantor.2@osu.edu>]

Ron Monzillo wrote on 2009-08-26:
> Is it too much of stretch to view the principal as the name of the
> shared secret that must be known in order to obtain and use a service
> ticket acquired from the kdc?

No, but the suggestion to use ds:KeyName to do so just seems wrong to me, as
it provides *no* signal to the relying party that Kerberos is even involved.
That's harmful for interoperability, since it means that the implementation
has to know some OOB way or just brute force a number of different
interpretations of KeyInfo.

It's a lot easier if the implementation knows from either the confirmation
method or the KeyInfo structure that Kerberos is required. I'm agnostic
about which, while agreeing with Josh that if there are other use cases for
profiling/extending KeyInfo to deal with Kerberos, that's a valid argument.

But there should be an explicit structural component to key a switch
statement or inject pluggable code off of. Using HoK + ds:KeyName would make
Kerberos look identical to an RSA signature combined with a trusted
certificate, and that's not a good thing to me.

-- Scott