OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion

Title: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion


Ok, let me explain my view on this so we can reach an agreement.

So far we have discussed two ways to use Kerberos for authenticating users, however in practice there are likely to be many many more ways in which a user will be authenticated using Kerberos before a SAML assertion is issued. I am also considering real use cases where client/server is used and the web server or browser is not involved, but we have a need to get an assertion and then present this assertion to an application for authenticating the user. So, to maintain flexibility, consistency and clarity I am proposing we don't try to define how strong, or not the Kerberos authentication method is, but simply say in our documents that if Kerberos is used to authenticate the user we represent the Kerberos authentication in the assertion using a common approach.

It appears to me that the argument here is about whether using Kerberos in a particular way should be represented as a Kerberos authentication in the assertion - correct ? If so, then we need to clearly define when Kerberos authentication is involved, and when it is not involved. In my view if we are using Kerberos to get a tgt and service ticket to obtain the identity of a user to store in an assertion then we should be happy that Kerberos is being used - surely this is a clear distinction ?

To be clear - you seem to be refering to one method being acceptable and one method not being acceptable. This is not under question. What we are trying to conclude is whether they are both using kerberos, not which is better, worse, or acceptable.

Thanks, Tim.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: 13 April 2004 15:42
To: 'Tim Alsop'
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion

> In my last email I described one reason why a password
> database check is not the same as using Kerberos, but (again)
> I don't think the various ways of authenticating with
> Kerberos and which is better needs to be discussed.

This is basically the point though. Obviously you disagree, which is fine,
but for me, the issue is precisely how the *client* authenticates, not how
the web server that is colocated with the authentication authority

As a relying party, there's a difference between a client getting a TGT and
never exposing the password to the network, and using TLS to ship it up the
server. Using a single authentication method for both is essentially (for
me) rendering it meaningless, since I may very well consider one acceptable
and the other not acceptable. Of course, if authn context can distinguish
this, that's fine too, there's no need to deal with it in the legacy

All that said, I'm not making Polar's argument. I'm a realist, and we do the
password over TLS approach every day on the order of 30,000-60,000 times on
the web and many million times for email checks (and that's cleartext!) .
I'm not discussing whether it's good, bad, or indifferent (that's
irrelevant), just that it's not IMHO Kerberos in any useful sense.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]