[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion
> Using this approach the web server is a Kerberos service and > also a Kerberos client. This avoids a trojan horse attack > where the web server might not be the real web server that > the user submitted their userid/password to (over TLS). Only if you then go off and use the tickets elsewhere (as you suggest later). In many cases you don't, and the trojan attack works...your password is given away and the attacker has what he wants. The point (as I usually understood it) of the service ticket is to prevent a rogue KDC spoofing the web server. > So, in answer to your question - I can see this being > meaningful because it represents a common and secure way of > using Kerberos to authenticate a user and the pre-auth type > in this instance will likely be a 1,2 or 3. I think there's a difference (to a service provider that isn't a party to any of what you describe) between the very common case of a password going to the server, and the much less common case of a browser/client using Kerberos to get a TGT and then using a service ticket to establish its identity on the web server. Currently, it's my belief that the primitive method URIs in SAML capture this only in the sense that the former case is not supposed to be called "Kerberos" but rather "password". At least that's been my practice. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]