Re: [security-services] SAML 2.0 Work items - Kerberos

[Polar Humenn <polar@syr.edu>]

On Mon, 4 Aug 2003, Krishna Sankar wrote:

> Hi,
> 
> 	Have been thinking about this topic on my way to UK last night.
> Would like to bounce off some of the very initial questions I had.
> 
> 	a)	What : 
> 
> 			We want to support Kerberos as an authentication
> mechanism. Which means we need SAML equivalents for the various protocols
> and message formats for all interactions between Kerberos entities
> (AS/TGS/RTS/..) (RFC1510, Kerberos now uses ASN.1 and DER encoding). 

Why do we want to XMLize every protocol in creation? What is wrong with
the ASN.1 and DER encoding?

> will support cross-realm & transitive cross-realm authC and user-to-user
> authC. We will also support different tickets like forwardable, renewable
> and postdatable. We should be able to leverage existing SAML elements.
> Haven't thought thru yet.
> 
> 			What about popular derivatives of Kerberos like the
> Microsoft implementation ? I think we should make every attempt to seek out
> information and see if we can incorporate it in SAML Kerberos support.

Isn't the Microsoft implemenation just standard kerberos with some 
authorization information that there wasn't a standard for anyway?

I think you might be able to stick a SAML Authorization assertion in that
area, wouldn't you?

> 			Should we mandate any security context like secure
> channels for cross-realm communication, clock synchronization, 
> 
> 	b)	Why :
> 
> 			Leverage synergies between Kerberos and SAML.
>
> Support Kerberos natively thus enabling Kerberos artifacts to be used with
> SAML assertions. Kerberos authorities can now use a web service
> infrastructure. Applications that support SAML can now "speak" Kerberos.
> 
> 			To explore :
> 				 i)	Can SAML strengthen any of the
> weaknesses Kerberos has ? 

What weaknesses does Kerberos have, other than notoriously compact data 
and quick authentication response times?

Are you thinking of using the SAML Authentication Assertion?

> 				ii)	Is there an industry demand for
> Kerberos support for SAML ? 

That indeed, definately needs to be explored.

> 	c)	Should we add the Kerberos messages as SAML extensions or as
> native SAML assertions ? I think native support is better.

Again, why translate all that ASN.1 into XML?

> 	d)	For Kerberos support, we need the concept of a SAML
> Listener, associated message container and a listener protocol. I think it
> would be a good idea to have a generic SAML listener protocol. Extending
> further may be it is a good idea to have SAML containers and protocols for
> the basic 4 or 5 MEPs. We already have the req-resp MEP.

Sorry to be scarcastic, doesn't this sound like reinventing CORBA just
using XML instead of GIOP?

> 	Thoughts ?

Just my 28,438.93 Turkish Liras

Cheers,
-Polar

> -k.	 
> 
> 
> You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php
>