RE: [wss] KERBEROS PROFILE: ISSUE Ticket Granting Ticket

["Hallam-Baker, Phillip" <pbaker@verisign.com>]

OK so the reason to forward a TGT is when you have a protocol where you need
to establish a peer to peer communication. 

Alice wants to speak to Bob

Alice forwards Bob her TGT, 
Bob forwards both to the Kerb server,
Server returns two tickets an Alice to Bob ticket and a Bob to Alice ticket.

OK that makes sense, would probably help to elucidate this somewhat in the
description part of the profile.

In particular the only object that should ever be generating or consuming
TGTs or generating tickets is a kerb server.





> -----Original Message-----
> From: Ron Monzillo [mailto:Ronald.Monzillo@Sun.COM]
> Sent: Tuesday, May 04, 2004 1:42 PM
> To: Frank Siebenlist
> Cc: Tim Alsop; Hallam-Baker, Phillip; wss@lists.oasis-open.org
> Subject: Re: [wss] KERBEROS PROFILE: ISSUE Ticket Granting Ticket
> 
> 
> Not following too closely, but I think I agree with Frank.
> 
> In user-2-user the target service isn't presumed to have a 
> server keytab,
> so client's ask kdc for service tickets encrypted in target's TGT 
> session key.
> The TGT is sent to the KDC as part of the ticket request, and 
> thus the 
> ticket
> requestors need to get the TGT from the target (before they 
> can request
> the service ticket).
> 
> TGT's are service tickets where the service is the KDC. As such, they 
> are sent
> over the wire for every service ticket request (not to 
> mention the u2u 
> wrinkle that
> has already been mentioned.).
> 
> Ron
> 
> Frank Siebenlist wrote:
> 
> > Sorry, but for user-to-user authentication, the TGT has to be 
> > communicated to the other party, such that a server ticket can be 
> > obtained from the KDC.
> >
> > -Frank.
> >
> >
> >
> > Tim Alsop wrote:
> >
> >> I agree. Another point worth mentioning is that when the Kerberos 
> >> protocol is used correctly and securely the TGT should not be 
> >> transmitted anywhere. The TGT is designed to stay in a 
> workstation or 
> >> server credential cache and not be transmitted. However, service 
> >> tickets are designed to be transmitted across networks so 
> that mutual 
> >> authentication, integrity and confidentiality can occur between 
> >> initiator and acceptor.
> >>
> >> Thanks,
> >> Tim.
> >> -----Original Message-----
> >> From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com] Sent: 22 
> >> April 2004 17:24
> >> To: wss@lists.oasis-open.org
> >> Subject: [wss] KERBEROS PROFILE: ISSUE Ticket Granting Ticket
> >>
> >> I believe that the Ticket Granting Ticket should be 
> eliminated from the
> >> Kerberos profile.
> >>
> >> The only valid use for a TGT is with the Kerb key 
> derrivation algorithm.
> >> That has no place in WS-Security. If it does appear it would be in 
> >> WS-Trust
> >> or the like and not in WS-Security.
> >>
> >> Encrypting a WS-Security message with a TGT could lead to 
> cross protocol
> >> attacks. Really bad voodoo. I propose that unless someone 
> gives a good
> >> reason to keep TGT in the Kerb profile and describes fully 
> how to use it
> >> that we should eliminate it.
> >>
> >> To unsubscribe from this mailing list (and be removed from 
> the roster 
> >> of the OASIS TC), go to 
> >> 
> http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
> _workgroup.php. 
> >>
> >>
> >
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/wss/members/leave
> _workgroup.php.
>