RE: [security-services] Proposed Agenda for SSTC Call (29 June 2010)

["Scott Cantor" <cantor.2@osu.edu>]

> I've attached the schema. I was certain that I had done this on
> submission, but it appears not :-(

I found it, it just wasn't reuploaded with the final CD. That helps keep the
artifacts together in Kavi. Technically the spec should also have a
reference to the schema, but I don't know if that's a strict requirement. If
we produce a V2.0, we can fix that.

> > Secondly, Scott has deployers who want to implement this.  We're not
> > sure what the use cases with the APREQ are, but the customer demand
> > that Scott has is for passing actual Kerberos credentials in an
> > attribute, and he doesn't know how that is best done.
> 
> By "credential", do we mean "ticket"? If so, that's the point of the
> AP_REQ message. The AP_REQ is the ticket + authenticator.

I don't want to speak for CMU, but what we were told is that the normal
thing to do is to transfer the tickets in some standard format, and then the
receiver of that can produce new AP_REQ messages as needed. Perhaps there's
a constraint on the time during which the authenticator remains valid, and
so this couples the use of the attribute information too closely to the
reception of it?

-- Scott