OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] RE: AuthenticationMethod / NameIdentifier and Kerberos authentication

ext Paul Madsen wrote:

>Hi John, I assume you mean adding this attribute to the
>PrincipalAuthenticationMechanism in core schema and then using it in a
>KerberosProtectedTransport class?
Well, the reason I was asking about whether this is specific to Krb is 
to figure out whether it should be added to the class schema, rather 
than the main schema. I was thinking that one way to make this work 
would be to define a base type (SharedSecretChallengeResponseType) that 
would be extended by KerberosChallengeResponseType to add the pre-auth 

>As a complication, while a Principal may use password or smart-card or
>PKINIT to authenticate to the KDC, from the point of the view of the SAML
>authority that the principal uses a ticket to authenticate to, the
>authentication mechanism would be SharedSecretChallengeResponse.
Yes, I think I used SharedSecretDynamicPlaintext originally, but it 
should be SharedSecretChallengeResponse...

>Does Kerberos itself allow the KDC to advertise which of the supported
>authentication mechanims was used so that the SAML authority could create an
>appropriate context statement ?
Well, so it sounds like this is more of a problem of the pre-auth being 
transmitted to the SAML authority in the first place. So, we can provide 
something in the authentication context to hold this information, but 
the SAML authority won't necessarily know the information to state that 
some method of pre-auth was used.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]