RE: [wss] Groups - oasis-xxxxx-wss-kerberos-token-profile-1.0.pdf uploaded

["Tim Alsop" <Tim.Alsop@CyberSafe.Ltd.UK>]

Hi, I have some feedback/comments on this document.

Line 6 - Kerberos written as Kerboer (typo ?)

Line 14 & Line 47 - In one case (line 14) it says "..how to use Kerberos
[Kerb] tickets.." and in the other case (line 47) it says "..the use of
Kerberos [Kerb] tokens..". This is confusing for Kerberos people because
the word token normally refers to GSS tokens, so we need to make it 100%
clear in this document whether we are referring to Kerberos tickets, or
GSS tokens, or WSS tokens with Kerberos, or something else ?  In any
case the document needs to make consistent references to the term
'token' and 'ticket'

Is it possible to use WSS with GSS-API message protection rather than
coding Kerberos ticket requests at a low level using a vendor
proprietary Kerberos API ? I assume not because the document doesn't
mention GSS in any way - does the WSS TC plan to create a new draft that
covers use of GSS with WSS ?

Line 51 - another reference to 'Kerberos tokens' ? Should this say
something like "Kerberos tickets" instead ? At the moment it is very
confusing referring to tokens without making this clearer.

General comment/question - are there any plans to prepare a use cases
document, or technical overview to explain how WSS/Kerberos can, and
should be used ?

References to Kerberos - Should rfc1510bis (aka Kerberos clarifications)
be mentioned, or is this document exclusively concerning rfc1510 ? If
so, then DES cipher suites are only type that can be supported by this
profile. I am sure many implementers will want to use RC4, AES, 3DES
etc. instead of 56bit DES. Also, I may have missed it, but I didn't see
any reference to cipher suites that can/should/must be used in this
document - is this written elsewhere ?

Table between lines 95 and 96 - it is not clear to me why you would want
to transfer a TGT in a SOAP message ? Normally TGT's are issued for a
particular client/workstation/system and contain an ip address so that
they cannot be copied onto another system and used (identify hijacking
!). So, how/why do you want to transmit a Kerberos 5 TGT ?

Line 96-97 - How do I carry GSS-API tokens instead of Kerberos tickets ?
A GSS token would normally contain a Kerberos service ticket and
possibly forwarded TGT (if applicable).

Line 100- reference is made to a Kerberos token again. This is confusing
to me and others. Does it mean Kerberos ticket ?

Line 185 - surely a ticket is not used as a key ? It would be a key
within the ticket that would be used ? This is not clear in this
sentence. Line 187-188 make it clearer, but I think 185 needs changing.

Line 190 - Similar issue with the reference to Kerberos ticket. It
should be consistent with suggested changes to line 185.

Line 195-197 - What are these error codes ? Are they Kerberos error
codes ? If so they should be codes defined in IETF
specifications/drafts.

Line 201-204 - Surely replay attack etc. are already catered for when
using Kerberos, so there is no need to add any WSS specific measures ?

Line 205 - Why sign a Kerberos ticket ? What value does this add to that
already provided in Kerberos protocol ?

Regards,
Tim.



-----Original Message-----
From: drsecure@us.ibm.com [mailto:drsecure@us.ibm.com] 
Sent: 15 April 2004 03:15
To: wss@lists.oasis-open.org
Subject: [wss] Groups - oasis-xxxxx-wss-kerberos-token-profile-1.0.pdf
uploaded

The document oasis-xxxxx-wss-kerberos-token-profile-1.0.pdf has been
submitted by Anthony Nadalin (drsecure@us.ibm.com) to the OASIS Web
Services Security TC document repository.

Document Description:
Version 05

Download Document:  
http://www.oasis-open.org/apps/org/workgroup/wss/download.php/6394/oasis
-xxxxx-wss-kerberos-token-profile-1.0.pdf

View Document Details:
http://www.oasis-open.org/apps/org/workgroup/wss/document.php?document_i
d=6394


PLEASE NOTE:  If the above links do not work for you, your email
application
may be breaking the link into two pieces.  You may be able to copy and
paste
the entire link address into the address field of your web browser.



To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup
.php.