OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication


Title: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication

Scott,

So, I think it is a good idea to summarise our discusions so far on this matter :

We are in agreement that AuthenticationMethod should be used to represent a Kerberos based authentication using the following syntax :

                AuthenticationMethod="urn:ietf:rfc:Kerberos"

                and NOT :

                AuthenticationMethod="urn:ietf:rfc:1510"

And, we have agreed that the pre-auth type is more appropriately represented in a context statement in the assertion and NOT as part of the AuthenticationMethod statement ?

I believe we also have some level of agreement that contextual information should somehow represent the way Kerberos authentication was used in order to differentiate the "secure" from the "less secure" approaches in a web environment (e.g. less secure = kerberos client on web server).

We are also in agreement that the previously proposed NameIdentifier format for representing a Kerberos principal name stays the same and does not change in any way.

e.g. The following example shows how a Kerberos principal name would be represented in an assertion.

                        <saml:NameIdentifier
                                NameQualifier="http://www.cybersafe.ltd.uk/"
                                Format="urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos">
                                talsop@CYBERSAFE.LTD.UK
                        </saml:NameIdentifier>

I think this summarises the discussion so far ? I don't think I have missed, or miss represented anything, or have I ?

Tim.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: 14 April 2004 03:24
To: 'Tim Alsop'
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication

> Anyway, I think JohnK mentioned using an Auth Context instead
> of putting the Kerberos pre-auth in the AuthenticationMethod
> statement ? What was the concensus on this, or has it not
> been discussed in detail yet ?

The latter. I think everyone agrees that it makes sense, but I don't know
that Liberty has defined any specific classes or statements that deal with
Kerberos.

> Maybe if Kerberos has been used, but not in the way we prefer
> (client in workstation/browser) we could still represent this
> method as a Kerberos method, but put something meaningful
> into a Context statement that gives more details on how
> Kerberos was used to authenticate the user ? That is in
> addition to the pre-auth method ? Just a suggestion ... Comments ?

Right. My criticism pertained to the old method. However, I would be equally
opposed to lumping this model into a general Kerberos context class. I think
it's closer to a "password" class with specific details provided as to how
the server is checking the password for accuracy that mention Kerberos.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]