OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] AuthenticationMethod / NameIdentifier and Kerberos authentication


Title: RE: [security-services] AuthenticationMethod / NameIdentifier and Kerberos authentication

John,

The RFC1510 defines the Kerberos standard, and more recently has been updated to create an rfc1510bis (known as Kerberos clarifications). It is possible that rfc1510bis will eventually result in a new rfc number for the Kerberos protocol that will supersede rfc1510, but I am not 100% sure what the plans or conventions are with this. I can find out for sure if you think it might be important ?

So, I wondered whether rfc1510 should be referenced in the assertion, and perhaps we should consider using the word "Kerberos" instead in the AuthMethod ?

Anyway, various authentication methods are defined in complementary drafts or RFC's and each have their own pre-auth data type. The basic pre-auth types (e.g. userid/password) are described in rfc1510 and rfc1510bis.

This whole approach is being reviewed at the moment and a new draft was recently created to better structure the way multiple pre-authentication methods are implemented (see http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-preauth-framework-00.txt).

 
So, answering your specific questions :

- Pre-authentication is optional, but it is not very common to disable it since it improves security when enabled.

- Yes, your interpretation looks correct to me except that you should use the word 'pre-authentication' instead of 'authentication'.

Regards, Tim.

-----Original Message-----
From: John Kemp [mailto:john.kemp@nokia.com]
Sent: 12 April 2004 14:55
To: ext Tim Alsop
Cc: Scott Cantor; John Hughes; security-services@lists.oasis-open.org
Subject: Re: [security-services] AuthenticationMethod / NameIdentifier and Kerberos authentication

Hi Tim,

 From what you're saying, I gather the following things about Kerberos
as an authentication method:

1) The Kerberos auth method itself is governed by RFC 1510.
2) Pre-authentication may take place.
3) Pre-authentication methods may be specified independently of RFC 1510.

So, it seems to me that 2) and 3) are actually contextual information
further describing the Kerberos authentication (ie. that pre-auth took
place with some authentication method). Is that a correct interpretation?

Cheers,

- JohnK

ext Tim Alsop wrote:

> Scott,

> I noticed you had an AI from last F2F regarding representing Kerberos
> principals in an assertion.

> So far we have been assuming that the AuthenticationMethod should be :

> *URI:* urn:ietf:rfc:1510

> It appears to me that we could add the pre-auth data type onto this to
> become :

> *URI:* urn:ietf:rfc:1510:padata-type:<n>
> <n> is the preauthentication datatype as specified in the IETF draft
> or RFC specific to the authentication type

> However, if we have multiple NameIdentifiers, maybe we want to
> represent the Format for each principal that was authenticated to give
> uniqueness - see below :

> *URI: *urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos:padata-type:<n>
> <n> is the preauthentication datatype as specified in the IETF draft
> or RFC specific to the authentication type

> What do you think ?

> Once we are in agreement as to what is needed I can write some
> normative text for inclusion on the specs.

> We also need to consider adding text to the authnrequest description
> so that a Kerberos initial ticket (tgt) lifetime can be carried over
> into the lifetime of the assertion.

> Thanks, Tim.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]