OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] RE: AuthenticationMethod / NameIdentifier andKerberos authentication

> I believe the most recent version of the credentials collector document
> was that posted on 4 November of last year, available at:
> www.oasis-open.org/apps/org/workgroup/security/download.php/4119/oasi
> s-sstc-v2_0-credentials_collector-use_cases-moses-02_d%85.pdf,
>  but recall that this topic area fell outside SAML 2.0's selected
> priorities in subsequent discussion. 

That's true in the most general sense, but we've been doing profiles that
assume credentials collection since 1.0. The part that's out of scope, in my
mind, is the actual collector/authority interaction, which is left to
implementers to define. And since it's local to a security domain, the need
for interoperability in that is less compelling.

In this context, it's the KDC/authority relationship that's undefined.
Ideally the authority could just be a service principal in the KDC and
accept tickets, but if the pre-auth designation is important but missing
from the ticket, then it's not that simple.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]