OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [wss] KERBEROS PROFILE: ISSUE Ticket Granting Ticket


Not following too closely, but I think I agree with Frank.

In user-2-user the target service isn't presumed to have a server keytab,
so client's ask kdc for service tickets encrypted in target's TGT 
session key.
The TGT is sent to the KDC as part of the ticket request, and thus the 
ticket
requestors need to get the TGT from the target (before they can request
the service ticket).

TGT's are service tickets where the service is the KDC. As such, they 
are sent
over the wire for every service ticket request (not to mention the u2u 
wrinkle that
has already been mentioned.).

Ron

Frank Siebenlist wrote:

> Sorry, but for user-to-user authentication, the TGT has to be 
> communicated to the other party, such that a server ticket can be 
> obtained from the KDC.
>
> -Frank.
>
>
>
> Tim Alsop wrote:
>
>> I agree. Another point worth mentioning is that when the Kerberos 
>> protocol is used correctly and securely the TGT should not be 
>> transmitted anywhere. The TGT is designed to stay in a workstation or 
>> server credential cache and not be transmitted. However, service 
>> tickets are designed to be transmitted across networks so that mutual 
>> authentication, integrity and confidentiality can occur between 
>> initiator and acceptor.
>>
>> Thanks,
>> Tim.
>> -----Original Message-----
>> From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com] Sent: 22 
>> April 2004 17:24
>> To: wss@lists.oasis-open.org
>> Subject: [wss] KERBEROS PROFILE: ISSUE Ticket Granting Ticket
>>
>> I believe that the Ticket Granting Ticket should be eliminated from the
>> Kerberos profile.
>>
>> The only valid use for a TGT is with the Kerb key derrivation algorithm.
>> That has no place in WS-Security. If it does appear it would be in 
>> WS-Trust
>> or the like and not in WS-Security.
>>
>> Encrypting a WS-Security message with a TGT could lead to cross protocol
>> attacks. Really bad voodoo. I propose that unless someone gives a good
>> reason to keep TGT in the Kerb profile and describes fully how to use it
>> that we should eliminate it.
>>
>> To unsubscribe from this mailing list (and be removed from the roster 
>> of the OASIS TC), go to 
>> http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php. 
>>
>>
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]