[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Kerberos in Shibboleth?
> You seem to be a very knowledgeable guy so what is your > comments to the additions of kerberos support in Internet > Explorer V6 with respect to Shibboleth? I don't know enough about what they're doing to comment. RL Bob might know more (or not), assuming it's real and not vapor. Since Kerberos relies pretty strongly on communicating identity, it doesn't match up well with Shib outside of local authentication. If we passed identity, we could have done interrealm trust among a lot of schools a long time ago. Maybe some have, I don't know. We tried to do it with DCE in the Big 10, and it went nowhere, mostly due to a lack of web applications that wanted interrealm security (as distinct from some of what was going in the research community). > AFAIK kerberos seems like a good way to authenticate to > the AA but would it really make sense for using it with > RPs as well? Does not the PKI-bindings do the work you and SAML need? I'm less sanguine about the use of PKI than some, as it all strikes me as very arbitrary why my web server should trust this other signer or vice versa. But given a bunch of people willing to agree "here are the rules we'll accept for signers and certificate verification", which is a large part of what Club Shib is about, I don't have any concerns about implementing it using PKI. I don't see any interoperability there however. > Or can kerberos cure then MITM-attack problem inherent in > SAML and Shibboleth? Without requiring additional OOB- > key information? If you mean the web browser profile, I suppose any client with more smarts than today's browsers creates more options, right? But it doesn't matter to me, because I'm gonna be stuck supporting Netscape 4 for who knows how long yet. <grumble> > To me (working with authentication of "representatives" from > an organization to another organization) it seems not like > universally good idea. But I'm not a kerberos-expert either... Shib feels pretty strongly that authentication is a local issue, and identity is one of many attributes that a person may or may not want to share with a resource. Why we feel that way has perhaps as much to do with FERPA laws as philosophy. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC