RE: [id-cloud] IDcloud Use-Case

[Thomas Hardjono <hardjono@MIT.EDU>]

Thanks Daniel and Anil.

The Kerberos authentication protocol is defined by RFC4120. As such it is not a product. 
There are multiple implementations of the Kerberos protocol, both open source
and proprietary.

http://www.ietf.org/rfc/rfc4120.txt

PS. Some folks may strongly associate Kerberos with Active Directory (from Microsoft),
and some may even think it was invented by Microsoft. However, RFC1510 that defines the
Kerberos v5 protocol pre-dates AD by a few years :)

http://www.ietf.org/rfc/rfc1510.txt

Hope this clarifies.

Regards.

/thomas/


________________________________________
From: Daniel.E.Turissini.(Affiliate).ORC1000000106.ID [turissd@orc.com]
Sent: Friday, May 14, 2010 3:25 PM
To: Anil Saldhana
Cc: id-cloud@lists.oasis-open.org
Subject: Re: [id-cloud] IDcloud Use-Case

I think it does too, just trying to level set the process. I always get
a little concerned when the analysis begins with product
implementations. It tends to limit the flexibility of the analysis. I am
on board!

Anil Saldhana wrote:
> Hi Daniel,
>   I think Thomas is pointing to Kerberos usecases in the Cloud and not
> any particular product implementation here.
>
> I am sure we will look at Kerberos in the second step (existing
> standards) along with the other existing IDM standards.
>
> The current submission from Thomas does have value to the TC in my
> opinion, as he is outlining the MIT Kerberos Consortium's use cases
> and we have to be supportive of that.
>
> Other thoughts/criticism welcome.
>
> Regards,
> Anil
>
>
> On 05/14/2010 02:12 PM,
> Daniel.E.Turissini.(Affiliate).ORC1000000106.ID wrote:
>> I am not sure a particular product implementation should be the bases
>> for a use case. Anil, shouldn't we focus on functional use cases that
>> are not product specific?
>>
>> Thomas Hardjono wrote:
>>> Folks,
>>>
>>> Here is my first cut of a "Kerberos-in-the-Cloud" use case.
>>> Still rough. Please feel free to improve/suggest and add text.
>>>
>>> Regards.
>>>
>>> /thomas/
>>>
>>> ------------------------------------------
>>> Use Case: Kerberos-in-the-Cloud Services
>>>
>>> Today over 60% of medium to large enterprises deploy the Kerberos
>>> authentication protocol as the primary user authentication method on
>>> a daily basis. Furthermore, access to many intra-enterprise
>>> resources and services is based on a single-sign-on (SSO) capability
>>> built using Kerberos as an underlying authentication mechanism.
>>>
>>> Many Enterprises already deploying large Kerberos authentication
>>> infrastructures seek to extend the usage of their infrastructure to
>>> provide their employees/customers with access to external services
>>> provided by their affiliates and partners in business. Furthermore,
>>> for scaling and performance reasons they seek to use identity
>>> providers and cloud-authentication services that support/implement
>>> Kerberos authentication (for ease of interoperability with their
>>> existing Enterprise Kerberos infrastructure).
>>>
>>> A Kerberos-in-the-cloud service would therefore be attractive (to an
>>> Enterprise) not only for the Enterprise employees seeking services
>>> (outbound), but also for Customers of the enterprise who wish to
>>> access services offered by that enterprise (inbound). If a new
>>> Customer was already a user of the Kerberos-in-the-Cloud service
>>> (that was acceptable/trusted by the Enterprise), that Customer can
>>> leverage the cloud service for SSO to the Enterprise service. An
>>> example in this case would be a company (Enterprise) providing
>>> financial services, both to other corporations (e.g. corporate 401K
>>> management), as well as to individual consumers (e.g. individual
>>> roll-over 401K accounts). This company/Enterprise would have
>>> partnerships with other financial institutions (e.g. investment firms).
>>>
>>> Although the Kerberos-in-the-Cloud service is an attractive service,
>>> there are a number of open technical issues requiring solutions:
>>>
>>> (a) Identity definition and attributes: One key issue is that of the
>>> identity type/format/scope relating to Kerberos principal names when
>>> deployed in a cloud environment. Related to this is the attributes
>>> and other authorization parameters pertaining to the Kerberos
>>> principal as found today in Kerberos V5 tickets and their usage in
>>> cloud environments.
>>>
>>> (b) Identity metadata exchange: Another problem area is the
>>> provisioning of Kerberos identities in the cloud, and the
>>> sharing/exchange of identity metadata between the cloud service and
>>> the Enterprise employees & customers. Some method of mapping
>>> internal employee Kerberos names to cloud identities is required.
>>> Furthermore, privacy of such identities may become requirement on
>>> the part of the Enterprise seeking to use that service.
>>>
>>> (c) Cross-realm trust: Another problem is the establishment of trust
>>> (including symmetric key establishment) between the Enterprise and
>>> the cloud service. One aspect of this problem is the need for a
>>> mechanism for discovery of Kerberos-in-the-cloud configuration
>>> parameters by Enterprises and consumer-users alike.
>>>
>>> (d) Interaction with other identity standards: If a
>>> Kerberos-in-the-cloud service chooses to also play the role of an
>>> identity provider within an Identity Federation system, there is the
>>> possibility that other members of the federation may deploy a
>>> different identity standard. Thus, interoperability is a key issue
>>> that must be addressed.
>>> ------------------------------------------
>>>
>>>
>>> PS. I'll add more items and text as we go along...
>>>
>>> /thomas/
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

--

Daniel E. Turissini,

CEO, Operational Research Consultants, Inc.



11250 Waples Mill Road, South Tower, Suite 210, Fairfax, Virginia 22030



703-246-8550



:: View the ORC/ FiXs Presentation [http://tinyurl.com/p6rs52] from
AFCEA LandWarNet 2009 ::



The information transmitted in this e-mail is for the exclusive use of
the person or entity to which it is addressed and may contain legally
privileged or confidential information. If you are not the intended
recipient of this e-mail, you are prohibited from reading, printing,
duplicating, disseminating or otherwise using or acting in reliance upon
this information. If you have received this information in error, please
notify the sender at Operational Research Consultants, Inc. immediately,
delete this information from your computer and destroy all copies of the
information.


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php