Re: [KAML] latest status

"Henry B. Hotz" <hotz@jpl.nasa.gov> Fri, 18 September 2009 21:50 UTC

Return-Path: <hotz@jpl.nasa.gov>
X-Original-To: kaml@core3.amsl.com
Delivered-To: kaml@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 785DC3A67DD for <kaml@core3.amsl.com>; Fri, 18 Sep 2009 14:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SwDj+yvYMAms for <kaml@core3.amsl.com>; Fri, 18 Sep 2009 14:50:37 -0700 (PDT)
Received: from mail.jpl.nasa.gov (sentrion1.jpl.nasa.gov [128.149.139.105]) by core3.amsl.com (Postfix) with ESMTP id F21B73A67F6 for <kaml@ietf.org>; Fri, 18 Sep 2009 14:50:36 -0700 (PDT)
Received: from mprox1.jpl.nasa.gov (mprox1.jpl.nasa.gov [137.78.160.140]) by mail.jpl.nasa.gov (Switch-3.4.1/Switch-3.3.2mp) with ESMTP id n8ILpUcp014224; Fri, 18 Sep 2009 21:51:30 GMT
Received: from dhcp-78-144-241.jpl.nasa.gov (dhcp-78-144-241.jpl.nasa.gov [137.78.144.241]) by mprox1.jpl.nasa.gov (Switch-3.2.6/Switch-3.2.6) with ESMTP id n8ILpSNj016169 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 18 Sep 2009 14:51:28 -0700
Message-Id: <0654FB70-6E54-4DFE-8E03-ECFEC2FD0A6D@jpl.nasa.gov>
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
To: "Taylor, Dennis C. (GSFC-750.0)[INDUS CORPORATION]" <dennis.c.taylor@nasa.gov>
In-Reply-To: <92D6F111A1BECC4397067F6934E0100204EFB4C603@NDMSSCC08.ndc.nasa.gov>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 18 Sep 2009 13:58:01 -0700
References: <46fc8a10909180713x3116deb5l2cfade36f6b85a2e@mail.gmail.com> <0AC447C8-C281-4432-BC43-93FD295B8FDC@jpl.nasa.gov> <92D6F111A1BECC4397067F6934E0100204EFB4C603@NDMSSCC08.ndc.nasa.gov>
X-Mailer: Apple Mail (2.936)
X-Source-IP: dhcp-78-144-241.jpl.nasa.gov [137.78.144.241]
X-Source-Sender: hotz@jpl.nasa.gov
X-AUTH: Authorized
Cc: "kaml@ietf.org" <kaml@ietf.org>, "Hotz, Henry B. \(JPL-173G\)\[JPL\]" <henry.b.hotz@nasa.gov>
Subject: Re: [KAML] latest status
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2009 21:50:38 -0000

Do you see a generalization of that suitable for standardization?

On Sep 18, 2009, at 12:30 PM, Taylor, Dennis C. (GSFC-750.0)[INDUS  
CORPORATION] wrote:

> Henry,
>
> FYI, about the LoA in the Microsoft PAC part...NASA did make that  
> request about 2 years ago.  We had some follow-up and we asked for  
> the capability to map a certificate issuance OID to a security group  
> dynamically.
>
> Windows 2008 R2 does now have this capability.  Some information  
> about this is described here: http://technet.microsoft.com/en-us/library/dd378897.aspx
>
> I briefly piloted a demo in May with one of the prerelease builds.   
> I was able to map id-fpki-common-authentication (from the PIV Auth  
> certificate) to security group "PIV Authentication LOA 4", a  
> security group of my choosing.  I was then able to create standard  
> Windows ACLs to restrict access to only users that authenticated  
> with the PIV smartcard.
>
> There are some limitations. Microsoft does not yet have the  
> capability to create ACL logical expressions, e.g. "Launch Control  
> Team" and "PIV Authentication LOA 4".  There are some work-arounds  
> though.
>
> Dennis Taylor
> NCAD
>
>> -----Original Message-----
>> From: kaml-bounces@ietf.org [mailto:kaml-bounces@ietf.org] On  
>> Behalf Of
>> Henry B. Hotz
>> Sent: Friday, September 18, 2009 2:41 PM
>> To: James Ryan
>> Cc: kaml@ietf.org
>> Subject: Re: [KAML] latest status
>>
>> On Sep 18, 2009, at 7:13 AM, James Ryan wrote:
>>
>>> I have been unplugged on this topic for a few years.  Could someone
>>> give the latest status?
>>>
>>> thanks!!
>>
>>
>> The short answer is that we failed to reach consensus and petered
>> out.  Of course that doesn't mean the issues have gone away.  I'm not
>> sure I recall all the solutions people were proposing any more.   
>> There
>> were some reasonable attempts at summaries near the end of what
>> exchanges did happen on-list.
>>
>> The concept that defined the name of this list was to include a SAML
>> token in a ticket.  I personally opposed that because I thought it
>> undesirable to mix ASN.1 and XML in the same thing.  (It's possible  
>> my
>> objections are Quixotic.)
>>
>> Many (most) of us wanted a way to pass on information from or about
>> the original cert used in a PKINIT exchange.  Probably the simplest
>> proposal of that type was Doug Engert's that the cert itself just be
>> included, but people apparently felt that was excessive, and/or
>> excessively distant from the information desired.
>>
>> My own desire was for a way to label a ticket according to the US
>> Government level of assurance that was used to acquire it.  A  
>> standard
>> mechanism ought to be more general than a US standard of course.
>> Unfortunately, that created unwanted complexities in defining what
>> ought to be in the ticket, if it wasn't necessarily a US LOA.
>>
>> The Microsoft PAC was not considered a good basis for a solution, but
>> everyone wanted to remain compatible with it if it was present.
>>
>> Off-list I have second- or third-hand information (unreliable
>> information in other words) that NASA asked Microsoft to include the
>> US LOA in the PAC as a dynamic group membership, and they agreed.  I
>> also have possibly-contradictory information that Microsoft told NASA
>> to work through the IETF and the Kerberos Consortium to define how  
>> the
>> LOA information should be handled and they would conform to and
>> implement whatever was agreed on.
>>
>> Absent a better consensus, I proposed that we create a framework
>> document covering how multiple representations of authorization data
>> should coexist and their degree of consistency.  There did not seem  
>> to
>> be any interest.
>>
>> I think there is interest in solving the authorization problem in a
>> way that scales better than the MS PAC.  There's interest on
>> Microsoft's part as well.  Nobody's come up with a solution that
>> enough people find attractive though.
>> ------------------------------------------------------
>> The opinions expressed in this message are mine,
>> not those of Caltech, JPL, NASA, or the US Government.
>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>>
>>
>>
>> _______________________________________________
>> KAML mailing list
>> KAML@ietf.org
>> https://www.ietf.org/mailman/listinfo/kaml

------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu