OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] RE: AuthenticationMethod / NameIdentifierand Kerberos authentication


Tim,

I believe 4a contains a Kerberos authentication context class. I don't 
assert that it's all complete, but I do think there's a Kerberos 
authentication context class schema in there (page 52 of the PDF I think)

I think I also added a "ExternalVerification" attribute to the 
PasswordType which allows you to say that a password is "externally 
verified" via Kerberos, which covers the other case that was discussed.

Both of these things are in the current 04a-diff draft.

- JohnK

ext Tim Alsop wrote:

>John,
>
>In the latest AuthnContext draft (04a) I don't see any reference to this
>discussion, so can I assume you haven't been able to document your
>solution yet, or did I miss something?
>
>Regards, Tim. 
>
>-----Original Message-----
>From: Tim Alsop 
>Sent: 14 April 2004 18:12
>To: John Kemp; Tim Alsop
>Cc: Scott Cantor; security-services@lists.oasis-open.org
>Subject: RE: [security-services] RE: AuthenticationMethod /
>NameIdentifier and Kerberos authentication
>
>John,
>
>Ok, thanks. I look forward to reviewing this when available. I will keep
>a look out ...
>
>Regards, Tim. 
>
>-----Original Message-----
>From: John Kemp [mailto:john.kemp@nokia.com] 
>Sent: 14 April 2004 18:20
>To: ext Tim Alsop
>Cc: Scott Cantor; security-services@lists.oasis-open.org
>Subject: Re: [security-services] RE: AuthenticationMethod /
>NameIdentifier and Kerberos authentication
>
>Tim,
>
>I am working on the AuthnContext, and the mapping of SAML authentication
>
>methods to either the AC schema itself, or where possible, appropriate 
>authentication context classes. I am working on a new draft of the 
>document, and believe it will deal with your concerns as we've discussed
>
>in this thread.
>
>Cheers,
>
>- JohnK
>
>ext Tim Alsop wrote:
>
>  
>
>>Yes, I think the sense is that we're going to be able to dump Method
>>    
>>
>and
>  
>
>>move it into a set of context class URIs, that would keep the URIs the
>>    
>>
>
>  
>
>>same,
>>if we want. Or if we change them, then it's moot, I guess. And context
>>classes are not the best way to capture preauth, given the potential
>>variability, so using actual AuthnContext statements and making sure
>>    
>>
>the
>  
>
>>SAML schema for that can capture this information is the real work
>>    
>>
>item.
>  
>
>>Tim> So, can I assume that AuthnContext has been, or will be specified
>>    
>>
>
>  
>
>>to support Kerberos pre-auth ? I guess I am just making sure that this
>>    
>>
>
>  
>
>>work item is currently owned by somebody ?
>>
>>    
>>
>
>  
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]