Sorry to step in to this conversation at a
late stage, but what is wrong with using a GSS-API user-2-user mechanism OID
instead of a lower level method ? Then you can exchange GSS tokens instead of
raw tickets or uauthenticators.
From: Anthony Nadalin
Sent: 12 July 2004 05:26
Subject: Re: [wss] Issue #283 -
Kerberos User to User Protocol
some careful review, exchanging raw tickets, that is without Kerberos
authenticators, poses several risks. This is exacerbated with including U2U.
Therefore, we'd like to propose that all exchanges MUST use Kerberos
uauthenticators. This change will still be opaque to the client yet eliminate
Anthony Nadalin | work 512.838.0085 | cell 512.289.4122
06/09/2004 11:28 AM
[wss] Issue #283
- Kerberos User to User Protocol
everything has been said before on the list. I will summarize.
It was proposed that there was no reason for a
binary token to carry a Ticket Granting Ticket (TGT) in the context of WSS.
Frank pointed out that it was required for the User to User U2U) protocol. The
client sends its TGT to the Server, which forwards it along with its own TGT to
the KDC. The KDC makes up a special service ticket based on both TGTs, which
allows the client and server to share a session key, without the server having
to keep the long term secret on disk (at the cost of extra messages).
The main problem with U2U is that although the
need for it depends on the configuration of the server (typed in password vs.
keytab) it is not transparent to the client. Without some advertisement or
negotiation protocol, this requires prior agreement. However, the use of U2U in
WSS is at least conceivable, therefore it should be allowed.
Resolution: Same as agreed under Issue #277 -
leave TGT as an option, provide text explaining the rationale.
To unsubscribe from this mailing list (and be
removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.