Re: [KAML] latest status
"Henry B. Hotz" <hotz@jpl.nasa.gov> Fri, 18 September 2009 21:50 UTC
Return-Path: <hotz@jpl.nasa.gov>
X-Original-To: kaml@core3.amsl.com
Delivered-To: kaml@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 785DC3A67DD for <kaml@core3.amsl.com>; Fri, 18 Sep 2009 14:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SwDj+yvYMAms for <kaml@core3.amsl.com>; Fri, 18 Sep 2009 14:50:37 -0700 (PDT)
Received: from mail.jpl.nasa.gov (sentrion1.jpl.nasa.gov [128.149.139.105]) by core3.amsl.com (Postfix) with ESMTP id F21B73A67F6 for <kaml@ietf.org>; Fri, 18 Sep 2009 14:50:36 -0700 (PDT)
Received: from mprox1.jpl.nasa.gov (mprox1.jpl.nasa.gov [137.78.160.140]) by mail.jpl.nasa.gov (Switch-3.4.1/Switch-3.3.2mp) with ESMTP id n8ILpUcp014224; Fri, 18 Sep 2009 21:51:30 GMT
Received: from dhcp-78-144-241.jpl.nasa.gov (dhcp-78-144-241.jpl.nasa.gov [137.78.144.241]) by mprox1.jpl.nasa.gov (Switch-3.2.6/Switch-3.2.6) with ESMTP id n8ILpSNj016169 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 18 Sep 2009 14:51:28 -0700
Message-Id: <0654FB70-6E54-4DFE-8E03-ECFEC2FD0A6D@jpl.nasa.gov>
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
To: "Taylor, Dennis C. (GSFC-750.0)[INDUS CORPORATION]" <dennis.c.taylor@nasa.gov>
In-Reply-To: <92D6F111A1BECC4397067F6934E0100204EFB4C603@NDMSSCC08.ndc.nasa.gov>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 18 Sep 2009 13:58:01 -0700
References: <46fc8a10909180713x3116deb5l2cfade36f6b85a2e@mail.gmail.com> <0AC447C8-C281-4432-BC43-93FD295B8FDC@jpl.nasa.gov> <92D6F111A1BECC4397067F6934E0100204EFB4C603@NDMSSCC08.ndc.nasa.gov>
X-Mailer: Apple Mail (2.936)
X-Source-IP: dhcp-78-144-241.jpl.nasa.gov [137.78.144.241]
X-Source-Sender: hotz@jpl.nasa.gov
X-AUTH: Authorized
Cc: "kaml@ietf.org" <kaml@ietf.org>, "Hotz, Henry B. (JPL-173G)[JPL]" <henry.b.hotz@nasa.gov>
Subject: Re: [KAML] latest status
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2009 21:50:38 -0000
Do you see a generalization of that suitable for standardization? On Sep 18, 2009, at 12:30 PM, Taylor, Dennis C. (GSFC-750.0)[INDUS CORPORATION] wrote: > Henry, > > FYI, about the LoA in the Microsoft PAC part...NASA did make that > request about 2 years ago. We had some follow-up and we asked for > the capability to map a certificate issuance OID to a security group > dynamically. > > Windows 2008 R2 does now have this capability. Some information > about this is described here: http://technet.microsoft.com/en-us/library/dd378897.aspx > > I briefly piloted a demo in May with one of the prerelease builds. > I was able to map id-fpki-common-authentication (from the PIV Auth > certificate) to security group "PIV Authentication LOA 4", a > security group of my choosing. I was then able to create standard > Windows ACLs to restrict access to only users that authenticated > with the PIV smartcard. > > There are some limitations. Microsoft does not yet have the > capability to create ACL logical expressions, e.g. "Launch Control > Team" and "PIV Authentication LOA 4". There are some work-arounds > though. > > Dennis Taylor > NCAD > >> -----Original Message----- >> From: kaml-bounces@ietf.org [mailto:kaml-bounces@ietf.org] On >> Behalf Of >> Henry B. Hotz >> Sent: Friday, September 18, 2009 2:41 PM >> To: James Ryan >> Cc: kaml@ietf.org >> Subject: Re: [KAML] latest status >> >> On Sep 18, 2009, at 7:13 AM, James Ryan wrote: >> >>> I have been unplugged on this topic for a few years. Could someone >>> give the latest status? >>> >>> thanks!! >> >> >> The short answer is that we failed to reach consensus and petered >> out. Of course that doesn't mean the issues have gone away. I'm not >> sure I recall all the solutions people were proposing any more. >> There >> were some reasonable attempts at summaries near the end of what >> exchanges did happen on-list. >> >> The concept that defined the name of this list was to include a SAML >> token in a ticket. I personally opposed that because I thought it >> undesirable to mix ASN.1 and XML in the same thing. (It's possible >> my >> objections are Quixotic.) >> >> Many (most) of us wanted a way to pass on information from or about >> the original cert used in a PKINIT exchange. Probably the simplest >> proposal of that type was Doug Engert's that the cert itself just be >> included, but people apparently felt that was excessive, and/or >> excessively distant from the information desired. >> >> My own desire was for a way to label a ticket according to the US >> Government level of assurance that was used to acquire it. A >> standard >> mechanism ought to be more general than a US standard of course. >> Unfortunately, that created unwanted complexities in defining what >> ought to be in the ticket, if it wasn't necessarily a US LOA. >> >> The Microsoft PAC was not considered a good basis for a solution, but >> everyone wanted to remain compatible with it if it was present. >> >> Off-list I have second- or third-hand information (unreliable >> information in other words) that NASA asked Microsoft to include the >> US LOA in the PAC as a dynamic group membership, and they agreed. I >> also have possibly-contradictory information that Microsoft told NASA >> to work through the IETF and the Kerberos Consortium to define how >> the >> LOA information should be handled and they would conform to and >> implement whatever was agreed on. >> >> Absent a better consensus, I proposed that we create a framework >> document covering how multiple representations of authorization data >> should coexist and their degree of consistency. There did not seem >> to >> be any interest. >> >> I think there is interest in solving the authorization problem in a >> way that scales better than the MS PAC. There's interest on >> Microsoft's part as well. Nobody's come up with a solution that >> enough people find attractive though. >> ------------------------------------------------------ >> The opinions expressed in this message are mine, >> not those of Caltech, JPL, NASA, or the US Government. >> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu >> >> >> >> _______________________________________________ >> KAML mailing list >> KAML@ietf.org >> https://www.ietf.org/mailman/listinfo/kaml ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
- Re: [KAML] latest status Luke Howard
- [KAML] latest status James Ryan
- Re: [KAML] latest status Henry B. Hotz
- Re: [KAML] latest status Taylor, Dennis C. (GSFC-750.0)[INDUS CORPORATION]
- Re: [KAML] latest status Henry B. Hotz
- Re: [KAML] latest status Josh Howlett
- Re: [KAML] latest status Henry B. Hotz
- Re: [KAML] latest status Scott Cantor
- Re: [KAML] latest status Josh Howlett