OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Kerberos in Shibboleth?

> Please enlighten me.  What kind of interoperability problems 
> do you anticipate?
> - Is it that every Club Shib member will make their own certs
>   holding arbitrary (Subject) definitions? 
> - Or is it concerns regarding root  key distribution?

I guess I was a bit strong. There can be interop, but it depends on how
similar or different the decisions about trust (what/when/how) are.

Right now, Club Shib is DNS-driven. Everything has a name, the name is
in the cert, and we use trusted signers (Verisign, et al. almost
certainly among them) to basically validate ownership of DNS names. Cert
preconfig is kept pretty minimal, and release of attributes is really
just driven by a kind of authenticated DNS check.

I have no idea what other radically different scenarios might be put on
top of the Shib architecture, which doesn't specify any degree of
interoperability at the message exchange level because we're not
dictating how messages are to be authenticated or encrypted. Even if we
mandated use of PKI like Club Shib (and I suppose SAML) does, that
doesn't define a trust model.

I have some ideas for how to modularize the message layer by policy URIs
that would let us plug in different trust "engines", so to speak, but
until some practical experience is available, I'm focused on making this

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC