OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentica tion


> In my last email I described one reason why a password 
> database check is not the same as using Kerberos, but (again) 
> I don't think the various ways of authenticating with 
> Kerberos and which is better needs to be discussed.

This is basically the point though. Obviously you disagree, which is fine,
but for me, the issue is precisely how the *client* authenticates, not how
the web server that is colocated with the authentication authority
authenticates.

As a relying party, there's a difference between a client getting a TGT and
never exposing the password to the network, and using TLS to ship it up the
server. Using a single authentication method for both is essentially (for
me) rendering it meaningless, since I may very well consider one acceptable
and the other not acceptable. Of course, if authn context can distinguish
this, that's fine too, there's no need to deal with it in the legacy
methods.

All that said, I'm not making Polar's argument. I'm a realist, and we do the
password over TLS approach every day on the order of 30,000-60,000 times on
the web and many million times for email checks (and that's cleartext!) .
I'm not discussing whether it's good, bad, or indifferent (that's
irrelevant), just that it's not IMHO Kerberos in any useful sense.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]