OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication


Tim,


>John,
 
>Ok. I am assuming I have latest document. It appears that section 5.2.9

>describes a class called KerberosProtectedTransport. I need to refresh 
>my memory by reviewing the emails on this, but I thought we were going 
>to use the AuthnContext to represent the pre-authentication method used

>to get the initial Kerberos ticket ?

There were two forms of Kerberos mentioned on the list. In one case, a
Kerb ticket is used as the actual authenticator, and is passed across
some transport. This is modelled in the KerberosProtectedTransport
class.

The other case, where the actual authenticator is a password, is
represented already with the PasswordProtectedTransport class. 
As I mentioned yesterday, I added an ExternalVerification attribute to
the PasswordType element, which can carry the Kerberos URN, specifying
that Kerberos was used as the "pre-authentication" method. 

Cheers,

- JohnK



))) Message sent using Nokia Access Mobilizer -- www.nokia.com/accessmobilizer (((

--- Original Message ---
From: ext Tim Alsop <Tim.Alsop@CyberSafe.Ltd.UK>
To: Paul Madsen <p.madsen@entrust.com>, John Kemp <john.kemp@nokia.com>, security-services@lists.oasis-open.org
Date: Wed May 26  14:42:18 CDT 2004
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication


John,

Ok. I am assuming I have latest document. It appears that section 5.2.9
describes a class called KerberosProtectedTransport. I need to refresh
my memory by reviewing the emails on this, but I thought we were going
to use the AuthnContext to represent the pre-authentication method used
to get the initial Kerberos ticket ?

Anyway, it is not 100% clear to me from the description what
KerberosProtectedTransport is defining. Can you explain in more detail
so I can understand the approach ?

Thanks, Tim.

-----Original Message-----
From: Paul Madsen [mailto:p.madsen@entrust.com] 
Sent: 26 May 2004 20:35
To: Tim Alsop; John Kemp
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] RE: AuthenticationMethod /
NameIdentifier and Kerberos authentication

the former (I believe)

>-----Original Message-----
>From: Tim Alsop [mailto:Tim.Alsop@CyberSafe.Ltd.UK]
>Sent: Wednesday, May 26, 2004 3:17 PM
>To: Paul Madsen; John Kemp
>Cc: security-services@lists.oasis-open.org; Tim Alsop
>Subject: RE: [security-services] RE: AuthenticationMethod /
>NameIdentifier and Kerberos authentication
>
>
>Paul/John,
>
>So, is this the latest version of the document with an 
>incorrect header,
>or an old version with wrong filename ?
>
>Tim.
>
>-----Original Message-----
>From: Paul Madsen [mailto:p.madsen@entrust.com] 
>Sent: 26 May 2004 20:14
>To: Tim Alsop; John Kemp
>Cc: security-services@lists.oasis-open.org; Tim Alsop
>Subject: RE: [security-services] RE: AuthenticationMethod /
>NameIdentifier and Kerberos authentication
>
>Tim, I believe John is off line at Liberty meetings but I believe you
>are
>correct that there is a mismatch between the document header, 
>it doesn't
>accurately reflect the actual doc version.
>
>John, if you are online, apologies for jumping in.
>
>Paul
>
>>-----Original Message-----
>>From: Tim Alsop [mailto:Tim.Alsop@CyberSafe.Ltd.UK]
>>Sent: Wednesday, May 26, 2004 3:08 PM
>>To: John Kemp
>>Cc: Scott Cantor; security-services@lists.oasis-open.org; Tim Alsop
>>Subject: RE: [security-services] RE: AuthenticationMethod /
>>NameIdentifier and Kerberos authentication
>>
>>
>>John,
>>
>>When I open the document named
>>sstc-saml-authn-context-2.0-draft-04a-diff.pdf the first page shows :
>>
>>Working Draft 03, 19 February 2004
>>Document identifier:
>>draft-sstc-authn-context-v1.0-03.doc
>>
>>Is this the latest version ? Is it possible that the pdf 
>>version of this
>>document is wrong ?
>>
>>Thanks, Tim.
>>
>>-----Original Message-----
>>From: John Kemp [mailto:john.kemp@nokia.com] 
>>Sent: 26 May 2004 05:02
>>To: Tim Alsop
>>Cc: Scott Cantor; security-services@lists.oasis-open.org; Tim Alsop
>>Subject: Re: [security-services] RE: AuthenticationMethod /
>>NameIdentifier and Kerberos authentication
>>
>>Tim,
>>
>>I believe 4a contains a Kerberos authentication context 
>class. I don't 
>>assert that it's all complete, but I do think there's a Kerberos 
>>authentication context class schema in there (page 52 of the PDF I
>>think)
>>
>>I think I also added a "ExternalVerification" attribute to the 
>>PasswordType which allows you to say that a password is "externally 
>>verified" via Kerberos, which covers the other case that was 
>discussed.
>>
>>Both of these things are in the current 04a-diff draft.
>>
>>- JohnK
>>
>>ext Tim Alsop wrote:
>>
>>>John,
>>>
>>>In the latest AuthnContext draft (04a) I don't see any reference to
>>this
>>>discussion, so can I assume you haven't been able to document your
>>>solution yet, or did I miss something?
>>>
>>>Regards, Tim. 
>>>
>>>-----Original Message-----
>>>From: Tim Alsop 
>>>Sent: 14 April 2004 18:12
>>>To: John Kemp; Tim Alsop
>>>Cc: Scott Cantor; security-services@lists.oasis-open.org
>>>Subject: RE: [security-services] RE: AuthenticationMethod /
>>>NameIdentifier and Kerberos authentication
>>>
>>>John,
>>>
>>>Ok, thanks. I look forward to reviewing this when available. I will
>>keep
>>>a look out ...
>>>
>>>Regards, Tim. 
>>>
>>>-----Original Message-----
>>>From: John Kemp [mailto:john.kemp@nokia.com] 
>>>Sent: 14 April 2004 18:20
>>>To: ext Tim Alsop
>>>Cc: Scott Cantor; security-services@lists.oasis-open.org
>>>Subject: Re: [security-services] RE: AuthenticationMethod /
>>>NameIdentifier and Kerberos authentication
>>>
>>>Tim,
>>>
>>>I am working on the AuthnContext, and the mapping of SAML
>>authentication
>>>
>>>methods to either the AC schema itself, or where possible, 
>>appropriate 
>>>authentication context classes. I am working on a new draft of the 
>>>document, and believe it will deal with your concerns as we've
>>discussed
>>>
>>>in this thread.
>>>
>>>Cheers,
>>>
>>>- JohnK
>>>
>>>ext Tim Alsop wrote:
>>>
>>>  
>>>
>>>>Yes, I think the sense is that we're going to be able to dump Method
>>>>    
>>>>
>>>and
>>>  
>>>
>>>>move it into a set of context class URIs, that would keep 
>>the URIs the
>>>>    
>>>>
>>>
>>>  
>>>
>>>>same,
>>>>if we want. Or if we change them, then it's moot, I guess. 
>>And context
>>>>classes are not the best way to capture preauth, given the potential
>>>>variability, so using actual AuthnContext statements and making sure
>>>>    
>>>>
>>>the
>>>  
>>>
>>>>SAML schema for that can capture this information is the real work
>>>>    
>>>>
>>>item.
>>>  
>>>
>>>>Tim> So, can I assume that AuthnContext has been, or will be 
>>specified
>>>>    
>>>>
>>>
>>>  
>>>
>>>>to support Kerberos pre-auth ? I guess I am just making sure 
>>that this
>>>>    
>>>>
>>>
>>>  
>>>
>>>>work item is currently owned by somebody ?
>>>>
>>>>    
>>>>
>>>
>>>  
>>>
>>
>>
>>
>>
>>To unsubscribe from this mailing list (and be removed from the 
>>roster of the OASIS TC), go to 
>http://www.oasis-open.org/apps/org/workgroup/security-services/
members/l
eave
_workgroup.php.






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]