OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: SAML attributes for Kerberos

> > Can you clarify for me who needs access to the shared key? Is this
> > something that the Kerberos libraries would need to be able to derive
> > from state that only it would have access to, or is it supplied from
> > outside to the relevant Kerberos library APIs?
> I'm not entirely sure what you're asking, but it sounds like an
> implementation-specific question.

What I mean is, does the message have to be encrypted with some key that
involves keying material that involves the KDC in any way, or is just
arbitrary to the standard for this message, but may not be arbitrary to
particular implementations? It sounds like the latter.

> * Unfortunately, krb5_get_forwarded_creds() is not actually a good API
>   for this, as it also handles the details of getting forwarded tickets
>   from the KDC.  Since ticket forwarding is specified only for TGT's, this
>   means this interface can only be used to forward a TGT, though the
>   KRB-CRED PDU itself has no such constraint.

So actual implementations, pending enhancement of Kerberos libraries, might
need implementation specific code to translate the local credential cache
form into the PDU and back?

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]