OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] RE: Kerberos & front-channel bindings (was Metadata IOP & the front-channel bindings)



>> The reason I ask is because I have recently been trying to understand
>> the feasibility of using the Kerberos protocol within a SAML system
>> (as opposed to the more typical use of X.509 credentials or public  
>> key
>> crypto in general).
>
> That would generally be covered by the concepts, but the profile isn't
> written to support that particular use case at the moment.

Sure. But concepts is fine for now.

>> I would be very interested in any opinions on this analysis and  
>> approach.
>
> It makes sense to me in general, but I assume you have some way to use
> Kerberos to "sign" the response or assertion in a SSO flow?

Yes. I was planning on referencing the method (possibly with some  
minor tweaks to improve interop) given in the WSS Kerberos TP (Section  
3.4 "Authentication" and Section 3.5 Encryption). This can be  
summarised as a MAC of the cleartext using the {sub-}session key. The  
{sub-}session key will be provided in a ticket that accompanies the  
ciphertext.

Many thanks, josh.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]