OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion

Title: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion


I think the problem here is that I am considering the bigger picture outside of the browser WebSSO profile and you are considering the specifics of the WebSSO profile and how this might, or might not reference Kerberos authentication. Is this roughly correct ?

If so, I can now see that in the context of the WebSSO profile in SAML 2.0 having a Kerberos client on a web server to validate userid/password could be considered as the same as any other password validation method installed on the web server and I guess this is your point - hence you are suggesting if this is the case the assertion should not use the Kerberos AuthMethod name format, but some other representation of the principal ? If so, what are you suggesting is used instead ?

I hope I have interpreted your views correctly, and we are now on track to reaching a conclusion ?

Thankyou for your patience.

Regards, Tim.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: 13 April 2004 19:29
To: 'Tim Alsop'
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentica tion

> It appears to me that the argument here is about whether
> using Kerberos in a particular way should be represented as a
> Kerberos authentication in the assertion - correct ?

That's maybe one aspect, but I think there's another aspect which is what
the point of Method is in the context of various profiles. I guess I'm
arguing that in the browser SSO profile, the real value is in describing the
dialog between the browser and the IdP web server, not whatever might be
happening behind the IdP scenes. I'm probably much more inclined to hand
wave that as an IdP detail and I trust him pretty strongly.

You can see that in one case it *is* Kerberos between the browser and the
IdP and the other case, it's not.

> then we need to clearly define when Kerberos authentication
> is involved, and when it is not involved. In my view if we
> are using Kerberos to get a tgt and service ticket to obtain
> the identity of a user to store in an assertion then we
> should be happy that Kerberos is being used - surely this is
> a clear distinction ?

I think "happy" slides into the irrelevant part we don't need to agree on.
It's different in both cases exactly how much Kerberos is used and between
which parties and the threat model is very different.

> To be clear - you seem to be refering to one method being
> acceptable and one method not being acceptable. This is not
> under question. What we are trying to conclude is whether
> they are both using kerberos, not which is better, worse, or
> acceptable.

I'm arguing (unlike Polar) that both are acceptable to *some* people, but
that (like Polar) one is clearly Kerberos to the relying party's decision
making process, and the other may not be.

Hiding that distinction is, IMHO, bad.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]