RE: [security-services] Groups - draft-sstc-solution-profile-kerb eros-04.sxw uploaded

["John Hughes" <john.hughes@entegrity.com>]

Title: RE: [security-services] Groups - draft-sstc-solution-profile-kerberos-04.sxw uploaded

John,

 

see comments below.

 

John

-----Original Message-----
From: Linn, John [mailto:jlinn@rsasecurity.com]
Sent: 16 March 2004 15:08
To: 'Tim Alsop'; security-services@lists.oasis-open.org
Subject: RE: [security-services] Groups - draft-sstc-solution-profile-kerb eros-04.sxw uploaded

I'd like to raise a few points regarding this document. 

 

It's unclear to me why two new profiles (Browser/Artifact Kerberos and Browser/POST Kerberos) need to be defined, rather than describing how to use existing profiles with Kerberos authentication technology.  Generally, I think it's appropriate to seek a model where profiles can be independent of authentication mechanism choices, and can be augmented by specific discussions of the relatively few mechanism-specific characteristics, rather than replicating and separately maintaining the general profile descriptions (which are at least largely invariant) for each mechanism with which the profile may be used.

 

<JOH>  I agree.  When writing the section the thought crossed my mind.  However as this document should be viewed as "input" to the approproiate normative doc editor(s) and therefore they can perform the appropriate "abstraction layering" - that this will require

 

 

At line 494, it seems inappropriate to describe an expired Informational status Internet-Draft under the heading of "standards ... available to authenticate a user", or, later, to cite it as a normative reference.  Is there an expectation that this document will be published on the IETF standards track, or as any form of RFC?

 

I believe that some clarification would be helpful in Sec. 4.3.1.  As it stands, the phrasing ("The Kerberos protocol can then be used to ... Requesting SAML Assertions") can be read to suggest that RFCs 2743 and 1964 will be used directly as a method to acquire SAML assertions, but the Kerberos GSS mechanism is unaware of SAML.  Rather than defining a SAML-aware Kerberos GSS mechanism, I assume that the intent is to establish a security context using Kerberos, and then to use that channel to carry assertion requests and responses.    

 

<JOH> Correct 

 

--jl

-----Original Message-----
From: Tim Alsop [mailto:Tim.Alsop@CyberSafe.Ltd.UK]
Sent: Monday, March 15, 2004 9:46 AM
To: security-services@lists.oasis-open.org
Cc: Tim Alsop
Subject: RE: [security-services] Groups - draft-sstc-solution-profile-kerb eros-04.sxw uploaded

Hi,

As you will notice from the email below we (John and I) have completed the draft-04 version of the Kerberos Solution Profile documentation. We believe this version is ready to be merged into the normative documents (core, bindings, etc.) so that further work on Kerberos support in SAML 2.0 can then be progressed.

Thanks, Tim.

-----Original Message-----
From: Tim.Alsop@cybersafe.ltd.uk [mailto:Tim.Alsop@cybersafe.ltd.uk]
Sent: 15 March 2004 15:00
To: security-services@lists.oasis-open.org
Subject: [security-services] Groups - draft-sstc-solution-profile-kerberos-04.sxw uploaded

The document draft-sstc-solution-profile-kerberos-04.sxw has been submitted by Tim Alsop (Tim.Alsop@CyberSafe.Ltd.UK) to the OASIS Security Services TC document repository.

Document Description:
Kerberos Solution Profile - including Kerberos profiles, bindings and technical overview content.

Download Document: 
http://www.oasis-open.org/apps/org/workgroup/security/download.php/5935/draft-sstc-solution-profile-kerberos-04.sxw

View Document Details:
http://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=5935

PLEASE NOTE:  If the above links do not work for you, your email application may be breaking the link into two pieces.  You may be able to copy and paste the entire link address into the address field of your web browser.

To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.