wss message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [wss] Action Item 2005-08-23-01: Kerberos Token Profile and RFC1510 vsRFC 4120
- From: Anthony Nadalin <drsecure@us.ibm.com>
- To: Duane Nickull <dnickull@adobe.com>
- Date: Sun, 11 Sep 2005 16:56:39 -0500
My understanding is that the token is unaffected between 1510 and 4120 only the KDC functionality will change, and that is backwards compatible. Where they may not be compatible is with the encryption types and Preauth types and these would be rejected by the KDC normally outside the scope of the token itself.
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Duane Nickull <dnickull@adobe.com>
Duane Nickull <dnickull@adobe.com>
09/06/2005 05:35 PM
|
|
We may also wish to consider adding some form of attribute to allow a
message to declare that the attached token is either compliant with 4120
or 1510. The statement in 4120 says they are not compatible.
Interop will be the true test. There are requirements for processing
4120 tickets written in the new RFC that mention backwards processing
although my take was it is mostly clarification.
Duane
Anthony Nadalin wrote:
> So profile states:
>
> "Kerberos tokens are attached to SOAP messages using WSS: SOAP Message
> Security by using the <wsse:BinarySecurityToken> described in WSS:
> SOAP Message Security. When using this element, the /@ValueType/
> attribute MUST be specified. This specification defines two values for
> this token as defined in the table below:"
>
> So I assume that 4120 URIs are optional and that one MUST be able t
> implement one of the 2 1510 URIs
>
>
> Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
> Inactive hide details for "Martin Gudgin"
> <mgudgin@microsoft.com>"Martin Gudgin" <mgudgin@microsoft.com>
>
>
> *"Martin Gudgin" <mgudgin@microsoft.com>*
>
> 09/05/2005 08:16 AM
>
>
>
> To
>
> <wss@lists.oasis-open.org>
>
> cc
>
>
> Subject
>
> [wss] Action Item 2005-08-23-01: Kerberos Token Profile and RFC1510 vs
> RFC 4120
>
>
>
>
> Having surveyed the vast array of interop participants I believe we have
> two possible courses of action;
>
>
> 1. Do nothing.
>
> 2. Update the Kerberos Token Profile by making the following
> changes;
>
> a) Add a reference to RFC4120 to Section 5.
>
> b) Add 4 URIs to the table in Section 3.2 as follows
>
> URI:
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p
> rofile-1.1#Kerberosv5_AP_REQ1510
> Description: Kerberos v5 AP-REQ as defined in RFC1510. This ValueType is
> used when the ticket is an AP Request per RFC1510
>
> URI:
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p
> rofile-1.1#GSS_Kerberosv5_AP_REQ1510
> Description: A GSS wrapped Kerberos v5 AP-REQ as defined in the GSSAPI
> specification. This ValueType is used when the ticket is an AP Request
> (ST + Authenticator) per RFC1510.
>
> URI:
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p
> rofile-1.1#Kerberosv5_AP_REQ4120
> Description: Kerberos v5 AP-REQ as defined in RFC4120. This ValueType is
> used when the ticket is an AP Request per RFC4120
>
> URI:
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p
> rofile-1.1#GSS_Kerberosv5_AP_REQ4120
> Description: A GSS wrapped Kerberos v5 AP-REQ as defined in the GSSAPI
> specification. This ValueType is used when the ticket is an AP Request
> (ST + Authenticator) per RFC4120.
>
> c) Amend the descriptions of the first URI currently in Section
> 3.2 as follows;
>
> URI:
> http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-p
> rofile-1.1#Kerberosv5_AP_REQ
> Description: Kerberos v5 AP-REQ as defined in either RFC1510 and
> RFC4120. This ValueType is used when the ticket is an AP Request.
>
>
> Regards
>
> Gudge
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. You may a link to this group and all your TCs in
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
