OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Kerberos in Shibboleth?

> You seem to be a very knowledgeable guy so what is your 
> comments to the additions of kerberos support in Internet 
> Explorer V6 with respect to Shibboleth?

I don't know enough about what they're doing to comment. RL Bob might
know more (or not), assuming it's real and not vapor. Since Kerberos
relies pretty strongly on communicating identity, it doesn't match up
well with Shib outside of local authentication.

If we passed identity, we could have done interrealm trust among a lot
of schools a long time ago. Maybe some have, I don't know. We tried to
do it with DCE in the Big 10, and it went nowhere, mostly due to a lack
of web applications that wanted interrealm security (as distinct from
some of what was going in the research community).

> AFAIK kerberos seems like a good way to authenticate to
> the AA but would it really make sense for using it with
> RPs as well?  Does not the PKI-bindings do the work you and SAML need?

I'm less sanguine about the use of PKI than some, as it all strikes me
as very arbitrary why my web server should trust this other signer or
vice versa. But given a bunch of people willing to agree "here are the
rules we'll accept for signers and certificate verification", which is a
large part of what Club Shib is about, I don't have any concerns about
implementing it using PKI. I don't see any interoperability there

> Or can kerberos cure then MITM-attack problem inherent in
> SAML and Shibboleth?  Without requiring additional OOB-
> key information?

If you mean the web browser profile, I suppose any client with more
smarts than today's browsers creates more options, right? But it doesn't
matter to me, because I'm gonna be stuck supporting Netscape 4 for who
knows how long yet. <grumble>

> To me (working with authentication of "representatives" from
> an organization to another organization) it seems not like 
> universally good idea.  But I'm not a kerberos-expert either...

Shib feels pretty strongly that authentication is a local issue, and
identity is one of many attributes that a person may or may not want to
share with a resource. Why we feel that way has perhaps as much to do
with FERPA laws as philosophy.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC