OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication

ext Paul Madsen wrote:

>Hi John, if your proposed 'pre-authenticated password' class is meant to
>describe the 'poor man's Kerberos' scenario that Tim and Scott have been
>discussing, to my mind Liberty already has a class that describes it, namely

>'The PasswordProtectedTransport class is identified when a Principal
>authenticates to an identity provider through the presentation of a password
>over a protected session.'
>Admittedly, this class doesn't capture how the IDP validates the password,
>ie. through a simple lookup or some proxied Kerberos authentication. Would
>this distinction matter to a Relying Party? If so, perhaps this could be a
>refinement of the passwordtype just as length is?
I see what you're saying - that maybe the relying party maybe doesn't 
care whether Krb was used to validate the authentication - although I 
believe Polar did mention a use-case for marking the Principal as being 
untrusted if they choose to use their password in this way, so maybe the 
information *is* useful :)

We could use PasswordProtectedTransport in this case, but also allow the 
IdP to claim that they used Kerberos to validate that authentication - 
by allowing a PrincipalAuthenticationMechanism statement to be added to 
a conforming instance document of the PasswordProtectedTransport class 
(currently the class *doesn't* allow this). What do you think of that?

>With respect to ii) below, makes sense to me.

- JohnK

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]