OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentica tion

> It appears to me that the argument here is about whether 
> using Kerberos in a particular way should be represented as a 
> Kerberos authentication in the assertion - correct ?

That's maybe one aspect, but I think there's another aspect which is what
the point of Method is in the context of various profiles. I guess I'm
arguing that in the browser SSO profile, the real value is in describing the
dialog between the browser and the IdP web server, not whatever might be
happening behind the IdP scenes. I'm probably much more inclined to hand
wave that as an IdP detail and I trust him pretty strongly.

You can see that in one case it *is* Kerberos between the browser and the
IdP and the other case, it's not.

> then we need to clearly define when Kerberos authentication 
> is involved, and when it is not involved. In my view if we 
> are using Kerberos to get a tgt and service ticket to obtain 
> the identity of a user to store in an assertion then we 
> should be happy that Kerberos is being used - surely this is 
> a clear distinction ?

I think "happy" slides into the irrelevant part we don't need to agree on.
It's different in both cases exactly how much Kerberos is used and between
which parties and the threat model is very different.

> To be clear - you seem to be refering to one method being 
> acceptable and one method not being acceptable. This is not 
> under question. What we are trying to conclude is whether 
> they are both using kerberos, not which is better, worse, or 
> acceptable. 

I'm arguing (unlike Polar) that both are acceptable to *some* people, but
that (like Polar) one is clearly Kerberos to the relying party's decision
making process, and the other may not be.

Hiding that distinction is, IMHO, bad.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]