security-services message

Subject: Re: [security-services] Proposed Agenda for SSTC Call (29 June 2010)

From: Josh Howlett <josh.howlett@gmail.com>
To: oasis sstc <security-services@lists.oasis-open.org>
Date: Tue, 29 Jun 2010 19:16:03 +0100

> The public review for Kerberos items closed with no comments received.
>
> Scott was looking at the Kerberos Attribute Profile, which had  
> already gone through public review, and he found two issues.  First,  
> he couldn't find a schema, as there was nothing accompanying the  
> CD.  If there is no schema, then this document can't proceed.   
> Thomas will look for the schema.

I've attached the schema. I was certain that I had done this on  
submission, but it appears not :-(

> Secondly, Scott has deployers who want to implement this.  We're not  
> sure what the use cases with the APREQ are, but the customer demand  
> that Scott has is for passing actual Kerberos credentials in an  
> attribute, and he doesn't know how that is best done.

By "credential", do we mean "ticket"? If so, that's the point of the  
AP_REQ message. The AP_REQ is the ticket + authenticator.

josh.

saml-schema-kerberos.xsd

Follow-Ups:
- RE: [security-services] Proposed Agenda for SSTC Call (29 June 2010)
  - From: "Scott Cantor" <cantor.2@osu.edu>

References:
- Re: [security-services] Proposed Agenda for SSTC Call (29 June2010)
  - From: Nate Klingenstein <ndk@internet2.edu>