OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion

> Using this approach the web server is a Kerberos service and 
> also a Kerberos client. This avoids a trojan horse attack 
> where the web server might not be the real web server that 
> the user submitted their userid/password to (over TLS).

Only if you then go off and use the tickets elsewhere (as you suggest
later). In many cases you don't, and the trojan attack works...your password
is given away and the attacker has what he wants. The point (as I usually
understood it) of the service ticket is to prevent a rogue KDC spoofing the
web server.

> So, in answer to your question - I can see this being 
> meaningful because it represents a common and secure way of 
> using Kerberos to authenticate a user and the pre-auth type 
> in this instance will likely be a 1,2 or 3.

I think there's a difference (to a service provider that isn't a party to
any of what you describe) between the very common case of a password going
to the server, and the much less common case of a browser/client using
Kerberos to get a TGT and then using a service ticket to establish its
identity on the web server.

Currently, it's my belief that the primitive method URIs in SAML capture
this only in the sense that the former case is not supposed to be called
"Kerberos" but rather "password". At least that's been my practice.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]