OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: Kerberos in Shibboleth?


Thanx for your comments on Kerberos.  Since MSFT is actually
tagetting SAML-scenarios with their "federated Passport", this
is extremely important for the SAML TC to get more info on.

>I'm less sanguine about the use of PKI than some, as it all strikes me
>as very arbitrary why my web server should trust this other signer or
>vice versa. But given a bunch of people willing to agree "here are the
>rules we'll accept for signers and certificate verification", which is a
>large part of what Club Shib is about, I don't have any concerns about
>implementing it using PKI. I don't see any interoperability there

Please enlighten me.  What kind of interoperability problems do
you anticipate?
- Is it that every Club Shib member will make their own certs
  holding arbitrary (Subject) definitions? 
- Or is it concerns regarding root  key distribution?

Using TTP-issued certficates like VeriSign's Web Server certficates
you will limit interoperability problems considerably.  A remaining
problem with web server certificates is that they certify a DNS-
name, while a DUNS number would actually be superior as it
is independent of if the server has DNS "secure.acme.com" or
"sec1.acme.com".  I.e. a "farm" of security servers may serve
a single legal entity, and in that case VeriSign's et al certificates
breaks down.  Particularly as "acme.com" may be used
for a number of Acme-associated legal entities.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC