[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentica tion
> It appears to me that the argument here is about whether > using Kerberos in a particular way should be represented as a > Kerberos authentication in the assertion - correct ? That's maybe one aspect, but I think there's another aspect which is what the point of Method is in the context of various profiles. I guess I'm arguing that in the browser SSO profile, the real value is in describing the dialog between the browser and the IdP web server, not whatever might be happening behind the IdP scenes. I'm probably much more inclined to hand wave that as an IdP detail and I trust him pretty strongly. You can see that in one case it *is* Kerberos between the browser and the IdP and the other case, it's not. > then we need to clearly define when Kerberos authentication > is involved, and when it is not involved. In my view if we > are using Kerberos to get a tgt and service ticket to obtain > the identity of a user to store in an assertion then we > should be happy that Kerberos is being used - surely this is > a clear distinction ? I think "happy" slides into the irrelevant part we don't need to agree on. It's different in both cases exactly how much Kerberos is used and between which parties and the threat model is very different. > To be clear - you seem to be refering to one method being > acceptable and one method not being acceptable. This is not > under question. What we are trying to conclude is whether > they are both using kerberos, not which is better, worse, or > acceptable. I'm arguing (unlike Polar) that both are acceptable to *some* people, but that (like Polar) one is clearly Kerberos to the relying party's decision making process, and the other may not be. Hiding that distinction is, IMHO, bad. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]