OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication


Title: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication

Great. This conversation started with a discussion on pre-authentication and this caused me to initially missunderstand what you were getting at.

Anyway, I think JohnK mentioned using an Auth Context instead of putting the Kerberos pre-auth in the AuthenticationMethod statement ? What was the concensus on this, or has it not been discussed in detail yet ?

Maybe if Kerberos has been used, but not in the way we prefer (client in workstation/browser) we could still represent this method as a Kerberos method, but put something meaningful into a Context statement that gives more details on how Kerberos was used to authenticate the user ? That is in addition to the pre-auth method ? Just a suggestion ... Comments ?

Regards,
Tim.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: 13 April 2004 22:55
To: 'Tim Alsop'
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication

> format", but just "AuthenticationMethod". So, it is appears
> to me that you are suggesting we don't represent an assertion
> using AuthenticationMethod of urn:ietf:rfc:1510 because you
> don't consider this method of using Kerberos as actual
> Kerberos authentication, but simply another way to check
> password ? Is this correct ?

Yep. And I do agree that in and of itself, this glosses over
preauthentication.

> So, once again - sorry to bring up the NameIdentifier format
> by mistake and confuse this discussion - we are not
> discussing this, only the AuthenticationMethod and when it
> should or should not say Kerberos was used for
> authentication. Agreed ?

Yes.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]