OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] RE: AuthenticationMethod / NameIdentifierand Kerberos authentica tion

On Mon, 12 Apr 2004, Tim Alsop wrote:

> Scott,
> I agree that in an Internet environment the approach with a Kerberos
> client on the web server is more common at present.

I just glance at these SAML threads, but this one caught my eye.

Do you mean the "kerberos user" quite blatantly gives his kerberos name
AND PASSWORD to the web server? And then the web server gets the TGT from
the KDC AS service in the name of the kerberos user?


> However Kerberos and
> SAML togerher have more use today on Intranet or Extranet environments,
> where the more common approach will be to use the SPNEGO draft or some
> other similar method for user authentication to the web server.

> I am afraid I disagree with your statement about these two approaches being handled differently - in my view they should both be represented in the assertion in the same way since in both cases Kerberos was used to authenticate the user and present their identity to the web server securely.
> Thanks, Tim.
> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: 12 April 2004 22:36
> To: 'Tim Alsop'
> Cc: 'John Hughes'; security-services@lists.oasis-open.org
> Subject: RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion
> > Using this approach the web server is a Kerberos service and
> > also a Kerberos client. This avoids a trojan horse attack
> > where the web server might not be the real web server that
> > the user submitted their userid/password to (over TLS).
> Only if you then go off and use the tickets elsewhere (as you suggest
> later). In many cases you don't, and the trojan attack works...your password
> is given away and the attacker has what he wants. The point (as I usually
> understood it) of the service ticket is to prevent a rogue KDC spoofing the
> web server.
> > So, in answer to your question - I can see this being
> > meaningful because it represents a common and secure way of
> > using Kerberos to authenticate a user and the pre-auth type
> > in this instance will likely be a 1,2 or 3.
> I think there's a difference (to a service provider that isn't a party to
> any of what you describe) between the very common case of a password going
> to the server, and the much less common case of a browser/client using
> Kerberos to get a TGT and then using a service ticket to establish its
> identity on the web server.
> Currently, it's my belief that the primitive method URIs in SAML capture
> this only in the sense that the former case is not supposed to be called
> "Kerberos" but rather "password". At least that's been my practice.
> -- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]