OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] AuthenticationMethod / NameIdentifier and Kerberos authentication

ext Tim Alsop wrote:

> John,
> The RFC1510 defines the Kerberos standard, and more recently has been 
> updated to create an rfc1510bis (known as Kerberos clarifications). It 
> is possible that rfc1510bis will eventually result in a new rfc number 
> for the Kerberos protocol that will supersede rfc1510, but I am not 
> 100% sure what the plans or conventions are with this. I can find out 
> for sure if you think it might be important ?
> So, I wondered whether rfc1510 should be referenced in the assertion, 
> and perhaps we should consider using the word "Kerberos" instead in 
> the AuthMethod ?
I think I tend to agree with you, if there will be at least two RFCs 
that may be implemented to provide Krb support. Unless we need to 
support indication of which RFC is adhered to in the authentication 
method (for IOP purposes perhaps), we would probably be better off 
defining an SSTC authentication method for Krb that is "RFC-agnostic".

> Anyway, various authentication methods are defined in complementary 
> drafts or RFC's and each have their own pre-auth data type. The basic 
> pre-auth types (e.g. userid/password) are described in rfc1510 and 
> rfc1510bis.
> This whole approach is being reviewed at the moment and a new draft 
> was recently created to better structure the way multiple 
> pre-authentication methods are implemented (see 
> http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-preauth-framework-00.txt).
Thanks for the reference - I'll take a look at this.

> So, answering your specific questions :
> - Pre-authentication is optional, but it is not very common to disable 
> it since it improves security when enabled.
OK - but whether it took place, and how it took place is contextual 
information pertaining to the Kerberos authentication event. As such, it 
probably should be encapsulated as authentication context statements 
specific to the Kerberos authentication method.

> - Yes, your interpretation looks correct to me except that you should 
> use the word 'pre-authentication' instead of 'authentication'.
OK thanks.


- JohnK

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]