[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication
Tim, >John, >Ok. I am assuming I have latest document. It appears that section 5.2.9 >describes a class called KerberosProtectedTransport. I need to refresh >my memory by reviewing the emails on this, but I thought we were going >to use the AuthnContext to represent the pre-authentication method used >to get the initial Kerberos ticket ? There were two forms of Kerberos mentioned on the list. In one case, a Kerb ticket is used as the actual authenticator, and is passed across some transport. This is modelled in the KerberosProtectedTransport class. The other case, where the actual authenticator is a password, is represented already with the PasswordProtectedTransport class. As I mentioned yesterday, I added an ExternalVerification attribute to the PasswordType element, which can carry the Kerberos URN, specifying that Kerberos was used as the "pre-authentication" method. Cheers, - JohnK ))) Message sent using Nokia Access Mobilizer -- www.nokia.com/accessmobilizer ((( --- Original Message --- From: ext Tim Alsop <Tim.Alsop@CyberSafe.Ltd.UK> To: Paul Madsen <p.madsen@entrust.com>, John Kemp <john.kemp@nokia.com>, security-services@lists.oasis-open.org Date: Wed May 26 14:42:18 CDT 2004 Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication John, Ok. I am assuming I have latest document. It appears that section 5.2.9 describes a class called KerberosProtectedTransport. I need to refresh my memory by reviewing the emails on this, but I thought we were going to use the AuthnContext to represent the pre-authentication method used to get the initial Kerberos ticket ? Anyway, it is not 100% clear to me from the description what KerberosProtectedTransport is defining. Can you explain in more detail so I can understand the approach ? Thanks, Tim. -----Original Message----- From: Paul Madsen [mailto:p.madsen@entrust.com] Sent: 26 May 2004 20:35 To: Tim Alsop; John Kemp Cc: security-services@lists.oasis-open.org Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication the former (I believe) >-----Original Message----- >From: Tim Alsop [mailto:Tim.Alsop@CyberSafe.Ltd.UK] >Sent: Wednesday, May 26, 2004 3:17 PM >To: Paul Madsen; John Kemp >Cc: security-services@lists.oasis-open.org; Tim Alsop >Subject: RE: [security-services] RE: AuthenticationMethod / >NameIdentifier and Kerberos authentication > > >Paul/John, > >So, is this the latest version of the document with an >incorrect header, >or an old version with wrong filename ? > >Tim. > >-----Original Message----- >From: Paul Madsen [mailto:p.madsen@entrust.com] >Sent: 26 May 2004 20:14 >To: Tim Alsop; John Kemp >Cc: security-services@lists.oasis-open.org; Tim Alsop >Subject: RE: [security-services] RE: AuthenticationMethod / >NameIdentifier and Kerberos authentication > >Tim, I believe John is off line at Liberty meetings but I believe you >are >correct that there is a mismatch between the document header, >it doesn't >accurately reflect the actual doc version. > >John, if you are online, apologies for jumping in. > >Paul > >>-----Original Message----- >>From: Tim Alsop [mailto:Tim.Alsop@CyberSafe.Ltd.UK] >>Sent: Wednesday, May 26, 2004 3:08 PM >>To: John Kemp >>Cc: Scott Cantor; security-services@lists.oasis-open.org; Tim Alsop >>Subject: RE: [security-services] RE: AuthenticationMethod / >>NameIdentifier and Kerberos authentication >> >> >>John, >> >>When I open the document named >>sstc-saml-authn-context-2.0-draft-04a-diff.pdf the first page shows : >> >>Working Draft 03, 19 February 2004 >>Document identifier: >>draft-sstc-authn-context-v1.0-03.doc >> >>Is this the latest version ? Is it possible that the pdf >>version of this >>document is wrong ? >> >>Thanks, Tim. >> >>-----Original Message----- >>From: John Kemp [mailto:john.kemp@nokia.com] >>Sent: 26 May 2004 05:02 >>To: Tim Alsop >>Cc: Scott Cantor; security-services@lists.oasis-open.org; Tim Alsop >>Subject: Re: [security-services] RE: AuthenticationMethod / >>NameIdentifier and Kerberos authentication >> >>Tim, >> >>I believe 4a contains a Kerberos authentication context >class. I don't >>assert that it's all complete, but I do think there's a Kerberos >>authentication context class schema in there (page 52 of the PDF I >>think) >> >>I think I also added a "ExternalVerification" attribute to the >>PasswordType which allows you to say that a password is "externally >>verified" via Kerberos, which covers the other case that was >discussed. >> >>Both of these things are in the current 04a-diff draft. >> >>- JohnK >> >>ext Tim Alsop wrote: >> >>>John, >>> >>>In the latest AuthnContext draft (04a) I don't see any reference to >>this >>>discussion, so can I assume you haven't been able to document your >>>solution yet, or did I miss something? >>> >>>Regards, Tim. >>> >>>-----Original Message----- >>>From: Tim Alsop >>>Sent: 14 April 2004 18:12 >>>To: John Kemp; Tim Alsop >>>Cc: Scott Cantor; security-services@lists.oasis-open.org >>>Subject: RE: [security-services] RE: AuthenticationMethod / >>>NameIdentifier and Kerberos authentication >>> >>>John, >>> >>>Ok, thanks. I look forward to reviewing this when available. I will >>keep >>>a look out ... >>> >>>Regards, Tim. >>> >>>-----Original Message----- >>>From: John Kemp [mailto:john.kemp@nokia.com] >>>Sent: 14 April 2004 18:20 >>>To: ext Tim Alsop >>>Cc: Scott Cantor; security-services@lists.oasis-open.org >>>Subject: Re: [security-services] RE: AuthenticationMethod / >>>NameIdentifier and Kerberos authentication >>> >>>Tim, >>> >>>I am working on the AuthnContext, and the mapping of SAML >>authentication >>> >>>methods to either the AC schema itself, or where possible, >>appropriate >>>authentication context classes. I am working on a new draft of the >>>document, and believe it will deal with your concerns as we've >>discussed >>> >>>in this thread. >>> >>>Cheers, >>> >>>- JohnK >>> >>>ext Tim Alsop wrote: >>> >>> >>> >>>>Yes, I think the sense is that we're going to be able to dump Method >>>> >>>> >>>and >>> >>> >>>>move it into a set of context class URIs, that would keep >>the URIs the >>>> >>>> >>> >>> >>> >>>>same, >>>>if we want. Or if we change them, then it's moot, I guess. >>And context >>>>classes are not the best way to capture preauth, given the potential >>>>variability, so using actual AuthnContext statements and making sure >>>> >>>> >>>the >>> >>> >>>>SAML schema for that can capture this information is the real work >>>> >>>> >>>item. >>> >>> >>>>Tim> So, can I assume that AuthnContext has been, or will be >>specified >>>> >>>> >>> >>> >>> >>>>to support Kerberos pre-auth ? I guess I am just making sure >>that this >>>> >>>> >>> >>> >>> >>>>work item is currently owned by somebody ? >>>> >>>> >>>> >>> >>> >>> >> >> >> >> >>To unsubscribe from this mailing list (and be removed from the >>roster of the OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/security-services/ members/l eave _workgroup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]