OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion

On Tue, 13 Apr 2004, Tim Alsop wrote:

> Polar, Scott,
> If you would like me to I can give you some references to real
> implementations that use this method, but I will do this offline because
> I think we are going off subject for this discussion.

You know, I got a Microsoft box on my desk as well, as some people would
tout as a "real implementation" based on the fact that it has as much
existence as the chair I'm sitting on. Sometimes, I sit on the Microsoft

Disciplined engineering fields wouldn't stand for some of the things
thought up by software, albeit there is a lot more peer review before
acceptance of practices those engineering fields, of structural,
electrical etc.

> There is no doubt that the many ways of using Kerberos in a web
> environment today are far from ideal and some are better than others. I
> would however say that using Kerberos in this wey (Kerberos client on
> web server) is more secure than a simple password check at the web
> server. Also, the password is not stored, so attacks on password are
> addressed because of TLS being used between browser and web server. The
> web server simply sends the AS-REQ and destroys the users password
> because it is no longer needed.

One can only hope. Just waiting for the day Ashcroft comes down secretly
invoking the Patriot Act to start recording them, for his use later, or
quite possibly in your name.

> Anyway, I don't want to discuss the merits of the Kerberos
> implementations and which is better or more appropriate. There are
> better places to have such a discussion if needed. What we are
> discussing here is whether we represent this type of Kerberos
> authentication in a web environment with SAML as being done using
> Kerberos method - my vote is yes.
> The reason why we should represent this use of Kerberos in the same way
> as any other is that we can clearly define 'using Kerberos in a web
> environment' as something like :
> 1. a user enters userid/password, token challenge, smart card, or some other information
> 2. The users information is used to obtain a tgt
> 3. The tgt is used to obtain a service ticket
> 4. The service ticket is presented to a service
> 5. The service decrypts the service ticket using a secret key and thus determines the principal name of the user
> 6. The principal name of the user is represented in the SAML assertion
> So, you can see that this approach to using Kerberos can be represented
> by the above, just as well as any other. I see no reason to say that one
> method of using Kerberos is represented in an assertion and another is
> not. If you disagree please convince me why we should differentiate ?

What I see, is the inability for the software community "to get over it",
and to rise above and overcome the problems associated having to pass
username/password credentials around to get anything done.

We have come up with what I perceive as excellent time tested engineering
in authentication technology that keeps a secret, a secret, Kerberos.
Kerberos keeps passwords/keys local to the owner, issuing
authorized tickets with limits for service, all which go far beyond the
complexity of PKI "solutions". And the "standards" just keep perpetuating
the inferior.

I know you gotta do what you gotta do, and I know an opinion from me isn't
going to stop it. But it makes me feel better to have said it.

I just think its sad.

Okay, I've said my piece, I'll get off my soap box.


> Thanks,
> Tim.
> -----Original Message-----
> From: Polar Humenn [mailto:polar@syr.edu]
> Sent: 13 April 2004 02:18
> To: Scott Cantor
> Cc: security-services@lists.oasis-open.org
> Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion
> My first reaction is, "You've got to be kidding me!",
> then sadly, or more frightenly, you wouldn't be.
> I'll agree with you.  I wouldn't call that Kerberos. My god.
> Sometimes, I just wonder what other abominations .....
> Gezzzz,
> -Polar
> On Mon, 12 Apr 2004, Scott Cantor wrote:
> > > Do you mean the "kerberos user" quite blatantly gives his kerberos name
> > > AND PASSWORD to the web server? And then the web server gets the TGT from
> > > the KDC AS service in the name of the kerberos user?
> >
> > Sure, that's how the vast majority of web SSO systems work if the
> > authentication source is Kerberos. Obviously Kerberos is fairly incidental
> > in that environment; a password database is just as good (or bad).
> >
> > Ideally that traffic is confined to a single trusted server that doesn't
> > host applications, just the weblogin process. In practice, people do
> > basic-auth over SSL to Kerberos all over, all the time.
> >
> > -- Scott
> >
> To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]