OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion


> The pre-authentication type determines what Kerberos 
> mechanism was used to authenticate, e.g. userid/password, 
> token, smartcard. Just saying that a Kerberos method has been 
> used is not clear enough.

I totally agree, I'm just saying that if the actual Kerberos client is
sitting on a web server, and the user is sending his password in the clear
or best case over TLS, that isn't Kerberos in any meaningful way I can see
for the purposes of an access control decision at the service end.

Preauth doesn't even factor into it because I can't even see calling it
Kerberos.

Certainly I think authn context captures these distinctions, but the old
method URI alone doesn't.

I guess I thought there was some agreement on that, but if this is still a
minority (or unique) position, the group can decide.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]