[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion
> The pre-authentication type determines what Kerberos > mechanism was used to authenticate, e.g. userid/password, > token, smartcard. Just saying that a Kerberos method has been > used is not clear enough. I totally agree, I'm just saying that if the actual Kerberos client is sitting on a web server, and the user is sending his password in the clear or best case over TLS, that isn't Kerberos in any meaningful way I can see for the purposes of an access control decision at the service end. Preauth doesn't even factor into it because I can't even see calling it Kerberos. Certainly I think authn context captures these distinctions, but the old method URI alone doesn't. I guess I thought there was some agreement on that, but if this is still a minority (or unique) position, the group can decide. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]