OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] Issue #283 - Kerberos User to User Protocol



Sorry to step in to this conversation at a late stage, but what is wrong with using a GSS-API user-2-user mechanism OID instead of a lower level method ? Then you can exchange GSS tokens instead of raw tickets or uauthenticators.




From: Anthony Nadalin [mailto:drsecure@us.ibm.com]
Sent: 12 July 2004 05:26
To: wss@lists.oasis-open.org
Subject: Re: [wss] Issue #283 - Kerberos User to User Protocol


After some careful review, exchanging raw tickets, that is without Kerberos authenticators, poses several risks. This is exacerbated with including U2U. Therefore, we'd like to propose that all exchanges MUST use Kerberos uauthenticators. This change will still be opaque to the client yet eliminate the vulnerabilities.

Anthony Nadalin | work 512.838.0085 | cell 512.289.4122
Inactive hide details for "Hal Lockhart" <hlockhar@bea.com>"Hal Lockhart" <hlockhar@bea.com>

"Hal Lockhart" <hlockhar@bea.com>

06/09/2004 11:28 AM





[wss] Issue #283 - Kerberos User to User Protocol


Really everything has been said before on the list. I will summarize.

It was proposed that there was no reason for a binary token to carry a Ticket Granting Ticket (TGT) in the context of WSS. Frank pointed out that it was required for the User to User U2U) protocol. The client sends its TGT to the Server, which forwards it along with its own TGT to the KDC. The KDC makes up a special service ticket based on both TGTs, which allows the client and server to share a session key, without the server having to keep the long term secret on disk (at the cost of extra messages).

The main problem with U2U is that although the need for it depends on the configuration of the server (typed in password vs. keytab) it is not transparent to the client. Without some advertisement or negotiation protocol, this requires prior agreement. However, the use of U2U in WSS is at least conceivable, therefore it should be allowed.

Resolution: Same as agreed under Issue #277 - leave TGT as an option, provide text explaining the rationale.


To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]