OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

id-cloud message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [id-cloud] IDcloud Use-Case

Hi Daniel,
   I think Thomas is pointing to Kerberos usecases in the Cloud and not 
any particular product implementation here.

I am sure we will look at Kerberos in the second step (existing 
standards) along with the other existing IDM standards.

The current submission from Thomas does have value to the TC in my 
opinion, as he is outlining the MIT Kerberos Consortium's use cases and 
we have to be supportive of that.

Other thoughts/criticism welcome.


On 05/14/2010 02:12 PM, Daniel.E.Turissini.(Affiliate).ORC1000000106.ID 
> I am not sure a particular product implementation should be the bases 
> for a use case. Anil, shouldn't we focus on functional use cases that 
> are not product specific?
> Thomas Hardjono wrote:
>> Folks,
>> Here is my first cut of a "Kerberos-in-the-Cloud" use case.
>> Still rough. Please feel free to improve/suggest and add text.
>> Regards.
>> /thomas/
>> ------------------------------------------
>> Use Case: Kerberos-in-the-Cloud Services
>> Today over 60% of medium to large enterprises deploy the Kerberos 
>> authentication protocol as the primary user authentication method on 
>> a daily basis. Furthermore, access to many intra-enterprise resources 
>> and services is based on a single-sign-on (SSO) capability built 
>> using Kerberos as an underlying authentication mechanism.
>> Many Enterprises already deploying large Kerberos authentication 
>> infrastructures seek to extend the usage of their infrastructure to 
>> provide their employees/customers with access to external services 
>> provided by their affiliates and partners in business. Furthermore, 
>> for scaling and performance reasons they seek to use identity 
>> providers and cloud-authentication services that support/implement 
>> Kerberos authentication (for ease of interoperability with their 
>> existing Enterprise Kerberos infrastructure).
>> A Kerberos-in-the-cloud service would therefore be attractive (to an 
>> Enterprise) not only for the Enterprise employees seeking services 
>> (outbound), but also for Customers of the enterprise who wish to 
>> access services offered by that enterprise (inbound). If a new 
>> Customer was already a user of the Kerberos-in-the-Cloud service 
>> (that was acceptable/trusted by the Enterprise), that Customer can 
>> leverage the cloud service for SSO to the Enterprise service. An 
>> example in this case would be a company (Enterprise) providing 
>> financial services, both to other corporations (e.g. corporate 401K 
>> management), as well as to individual consumers (e.g. individual 
>> roll-over 401K accounts). This company/Enterprise would have 
>> partnerships with other financial institutions (e.g. investment firms).
>> Although the Kerberos-in-the-Cloud service is an attractive service, 
>> there are a number of open technical issues requiring solutions:
>> (a) Identity definition and attributes: One key issue is that of the 
>> identity type/format/scope relating to Kerberos principal names when 
>> deployed in a cloud environment. Related to this is the attributes 
>> and other authorization parameters pertaining to the Kerberos 
>> principal as found today in Kerberos V5 tickets and their usage in 
>> cloud environments.
>> (b) Identity metadata exchange: Another problem area is the 
>> provisioning of Kerberos identities in the cloud, and the 
>> sharing/exchange of identity metadata between the cloud service and 
>> the Enterprise employees & customers. Some method of mapping internal 
>> employee Kerberos names to cloud identities is required. Furthermore, 
>> privacy of such identities may become requirement on the part of the 
>> Enterprise seeking to use that service.
>> (c) Cross-realm trust: Another problem is the establishment of trust 
>> (including symmetric key establishment) between the Enterprise and 
>> the cloud service. One aspect of this problem is the need for a 
>> mechanism for discovery of Kerberos-in-the-cloud configuration 
>> parameters by Enterprises and consumer-users alike.
>> (d) Interaction with other identity standards: If a 
>> Kerberos-in-the-cloud service chooses to also play the role of an 
>> identity provider within an Identity Federation system, there is the 
>> possibility that other members of the federation may deploy a 
>> different identity standard. Thus, interoperability is a key issue 
>> that must be addressed.
>> ------------------------------------------
>> PS. I'll add more items and text as we go along...
>> /thomas/ 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]