[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Groups - oasis-xxxxx-wss-kerberos-token-profile-1.0.pdf uploaded
Hi, I have some feedback/comments on this document. Line 6 - Kerberos written as Kerboer (typo ?) Line 14 & Line 47 - In one case (line 14) it says "..how to use Kerberos [Kerb] tickets.." and in the other case (line 47) it says "..the use of Kerberos [Kerb] tokens..". This is confusing for Kerberos people because the word token normally refers to GSS tokens, so we need to make it 100% clear in this document whether we are referring to Kerberos tickets, or GSS tokens, or WSS tokens with Kerberos, or something else ? In any case the document needs to make consistent references to the term 'token' and 'ticket' Is it possible to use WSS with GSS-API message protection rather than coding Kerberos ticket requests at a low level using a vendor proprietary Kerberos API ? I assume not because the document doesn't mention GSS in any way - does the WSS TC plan to create a new draft that covers use of GSS with WSS ? Line 51 - another reference to 'Kerberos tokens' ? Should this say something like "Kerberos tickets" instead ? At the moment it is very confusing referring to tokens without making this clearer. General comment/question - are there any plans to prepare a use cases document, or technical overview to explain how WSS/Kerberos can, and should be used ? References to Kerberos - Should rfc1510bis (aka Kerberos clarifications) be mentioned, or is this document exclusively concerning rfc1510 ? If so, then DES cipher suites are only type that can be supported by this profile. I am sure many implementers will want to use RC4, AES, 3DES etc. instead of 56bit DES. Also, I may have missed it, but I didn't see any reference to cipher suites that can/should/must be used in this document - is this written elsewhere ? Table between lines 95 and 96 - it is not clear to me why you would want to transfer a TGT in a SOAP message ? Normally TGT's are issued for a particular client/workstation/system and contain an ip address so that they cannot be copied onto another system and used (identify hijacking !). So, how/why do you want to transmit a Kerberos 5 TGT ? Line 96-97 - How do I carry GSS-API tokens instead of Kerberos tickets ? A GSS token would normally contain a Kerberos service ticket and possibly forwarded TGT (if applicable). Line 100- reference is made to a Kerberos token again. This is confusing to me and others. Does it mean Kerberos ticket ? Line 185 - surely a ticket is not used as a key ? It would be a key within the ticket that would be used ? This is not clear in this sentence. Line 187-188 make it clearer, but I think 185 needs changing. Line 190 - Similar issue with the reference to Kerberos ticket. It should be consistent with suggested changes to line 185. Line 195-197 - What are these error codes ? Are they Kerberos error codes ? If so they should be codes defined in IETF specifications/drafts. Line 201-204 - Surely replay attack etc. are already catered for when using Kerberos, so there is no need to add any WSS specific measures ? Line 205 - Why sign a Kerberos ticket ? What value does this add to that already provided in Kerberos protocol ? Regards, Tim. -----Original Message----- From: drsecure@us.ibm.com [mailto:drsecure@us.ibm.com] Sent: 15 April 2004 03:15 To: wss@lists.oasis-open.org Subject: [wss] Groups - oasis-xxxxx-wss-kerberos-token-profile-1.0.pdf uploaded The document oasis-xxxxx-wss-kerberos-token-profile-1.0.pdf has been submitted by Anthony Nadalin (drsecure@us.ibm.com) to the OASIS Web Services Security TC document repository. Document Description: Version 05 Download Document: http://www.oasis-open.org/apps/org/workgroup/wss/download.php/6394/oasis -xxxxx-wss-kerberos-token-profile-1.0.pdf View Document Details: http://www.oasis-open.org/apps/org/workgroup/wss/document.php?document_i d=6394 PLEASE NOTE: If the above links do not work for you, your email application may be breaking the link into two pieces. You may be able to copy and paste the entire link address into the address field of your web browser. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup .php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]