security-services message

Subject: Re: [security-services] Proposed Agenda for SSTC Call (29 June 2010)

From: Josh Howlett <josh.howlett@gmail.com>
To: Scott Cantor <cantor.2@osu.edu>
Date: Tue, 29 Jun 2010 19:50:00 +0100

>>> Secondly, Scott has deployers who want to implement this.  We're not
>>> sure what the use cases with the APREQ are, but the customer demand
>>> that Scott has is for passing actual Kerberos credentials in an
>>> attribute, and he doesn't know how that is best done.
>>
>> By "credential", do we mean "ticket"? If so, that's the point of the
>> AP_REQ message. The AP_REQ is the ticket + authenticator.
>
> I don't want to speak for CMU, but what we were told is that the  
> normal
> thing to do is to transfer the tickets in some standard format, and  
> then the
> receiver of that can produce new AP_REQ messages as needed.

Do you have any more information about this use-case? A Kerberos  
ticket is always transported in a Kerberos message. I'm sure that  
there's an appropriate message to use for their use-case, and we can  
trivially modify the schema to support that, but given the context  
it's not obvious what that message type should be.

josh.

Follow-Ups:
- RE: [security-services] Proposed Agenda for SSTC Call (29 June 2010)
  - From: "Scott Cantor" <cantor.2@osu.edu>

References:
- Re: [security-services] Proposed Agenda for SSTC Call (29 June2010)
  - From: Nate Klingenstein <ndk@internet2.edu>
- Re: [security-services] Proposed Agenda for SSTC Call (29 June 2010)
  - From: Josh Howlett <josh.howlett@gmail.com>
- RE: [security-services] Proposed Agenda for SSTC Call (29 June 2010)
  - From: "Scott Cantor" <cantor.2@osu.edu>