[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] KERBEROS PROFILE: ISSUE Ticket Granting Ticket
Sorry, but for user-to-user authentication, the TGT has to be communicated to the other party, such that a server ticket can be obtained from the KDC. -Frank. Tim Alsop wrote: > I agree. Another point worth mentioning is that when the Kerberos protocol is used correctly and securely the TGT should not be transmitted anywhere. The TGT is designed to stay in a workstation or server credential cache and not be transmitted. However, service tickets are designed to be transmitted across networks so that mutual authentication, integrity and confidentiality can occur between initiator and acceptor. > > Thanks, > Tim. > > -----Original Message----- > From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com] > Sent: 22 April 2004 17:24 > To: wss@lists.oasis-open.org > Subject: [wss] KERBEROS PROFILE: ISSUE Ticket Granting Ticket > > I believe that the Ticket Granting Ticket should be eliminated from the > Kerberos profile. > > The only valid use for a TGT is with the Kerb key derrivation algorithm. > That has no place in WS-Security. If it does appear it would be in WS-Trust > or the like and not in WS-Security. > > Encrypting a WS-Security message with a TGT could lead to cross protocol > attacks. Really bad voodoo. I propose that unless someone gives a good > reason to keep TGT in the Kerb profile and describes fully how to use it > that we should eliminate it. > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php. > -- Frank Siebenlist franks@mcs.anl.gov The Globus Alliance - Argonne National Laboratory
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]