Re: [KAML] Re: Chicago bar-BOF summary

"Douglas E. Engert" <> Mon, 17 September 2007 15:05 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1IXI9t-00089Y-7c; Mon, 17 Sep 2007 11:05:09 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1IXI9r-00089S-B8 for; Mon, 17 Sep 2007 11:05:07 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1IXI9q-0000M4-NZ for; Mon, 17 Sep 2007 11:05:07 -0400
Received: from (localhost []) by (Postfix) with ESMTP id 4545DA7; Mon, 17 Sep 2007 10:05:06 -0500 (CDT)
Received: from [] ( []) by (Postfix) with ESMTP id 2E3CBA2; Mon, 17 Sep 2007 10:05:06 -0500 (CDT)
Message-ID: <>
Date: Mon, 17 Sep 2007 10:05:05 -0500
From: "Douglas E. Engert" <>
User-Agent: Thunderbird (Windows/20070728)
MIME-Version: 1.0
To: "Henry B. Hotz" <>
Subject: Re: [KAML] Re: Chicago bar-BOF summary
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 944ecb6e61f753561f559a497458fb4f
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Henry B. Hotz wrote:
> Anyone know the compatibility of the PAC with other authorization data?  
> DCE authN data is, I presume, ASN1 encoded.  I think the PAC is just a 
> memory dump.  A SAML token is XML.
> Even if we ignore DCE, can we guarantee that an XML blob and the PAC can 
> coexist if needed?  I think I'm seeing some provisions for that, but 
> want to confirm.

Yes. RFC 4120 section 7.5.4 defines the Authorization Data Types.
AD_WIN2K_PAC(128) and AD_ETYPE_NEGOTAION(129). Others can be added
but the Authorization Data Types are not listed in IANA.

The PAC (128) is wrapped in a AD_IF_RELEVANT(1) which implies it is

>  ><I don't have anything to add to Doug's comments.>>
> On Sep 13, 2007, at 2:24 PM, Douglas E. Engert wrote:
>> Gerald Beuchelt wrote:
>>> It is my understanding (and I am also no lawyer!) that the article by 
>>> John Brezak carries a patent license regarding the actual content of 
>>> the document itself.
>>> Now, this document specifies the PAC for Windows 2000, with the 
>>> exception of 18 reserved fields. What it also does not specify is any 
>>> PAC changes in XP, 2003, Vista, or 2008. It also does not specify any 
>>> backend infrastructure (e.g. discovery or resolution services, policy 
>>> tools, or data storage, etc.) that might or might not be covered by 
>>> patents or other intellectual property rights. Also, some of the 
>>> default SIDs in the Windows implementation that are required for 
>>> evaluating group membership (e.g. EVERYONE, etc.) are also not 
>>> included in this document.
>> There was also the IETF:
>> draft-brezak-win2k-krb-authz-01.txt
>> from October 2002, I still have a copy, but does not address XP, 2003
>> or Vista.
>> Samba has been working on using the PAC created by Windows, and trying
>> to get XP to use a Samba/Heimdal created PAC. So they may have addressed
>> a lot of these issues.
>>> In addition, I do seem to remember that Microsoft at some time 
>>> offered a complete description (purportedly including the 18 reserved 
>>> fields) of the PAC that came with a license explicitly prohibiting 
>>> implementation. Since I did not touch this document, I cannot speak 
>>> to its actual content.
>>> So, as I am not a lawyer, I am quite paranoid when it comes to other 
>>> people's IPR and license terms. Therefore I am just cautioning the 
>>> use of these specifications, since they are (i) old (Windows 2000), 
>>> (ii) not peer-reviewed, and (iii) not published by an established 
>>> standards organization with a clear IPR regime.
>>> Sorry to be such a pain, but if the majority of this group is intend 
>>> on pursuing the NT PAC path, I would suggest that someone approaches 
>>> Microsoft to get clarification about the status of the spec.
>> I don't think trying to add something to the Microsoft PAC is a good 
>> idea.
>> But if they add something "Level of assurance" to the PAC using it is
>> another story.
>> Adding another auth_data element of SAML does not require the 
>> Microsoft PAC.
>>> Best,
>>> Gerald
>>> Henry B. Hotz wrote:
>>>> On Sep 13, 2007, at 12:32 PM, Gerald Beuchelt wrote:
>>>>> However, note that there is no patent covenant or even simple 
>>>>> licensing terms for the backend infrastructure, so while 
>>>>> implementing these data structures might be covered *to the extend 
>>>>> that they are documented here), the necessary backend 
>>>>> infrastructure might require additional licensing and royalties.
>>>> I'm not sure what you mean.  Can you give an example of something 
>>>> that might require a license?  In my mind (I'm not a lawyer) an 
>>>> implementation is either independent, or not.  Since Microsoft 
>>>> doesn't publish actual code for any of this an implementation is 
>>>> either pirated from unpublished code, or it's independent, isn't it?
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
>, or


  Douglas E. Engert  <>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

KAML mailing list