Re: [KAML] Re: Chicago bar-BOF summary

"Douglas E. Engert" <deengert@anl.gov> Thu, 06 September 2007 20:35 UTC

Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITO4x-0002L9-Qp; Thu, 06 Sep 2007 16:35:55 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITO4w-0002Gn-Nx for kaml@ietf.org; Thu, 06 Sep 2007 16:35:54 -0400
Received: from mailhost.anl.gov ([130.202.113.50]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1ITO4w-0006Mu-AK for kaml@ietf.org; Thu, 06 Sep 2007 16:35:54 -0400
Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id A90E63B; Thu, 6 Sep 2007 15:35:53 -0500 (CDT)
Received: from [127.0.0.1] (atalanta.it.anl.gov [146.137.96.104]) by mailhost.anl.gov (Postfix) with ESMTP id 8F26C40; Thu, 6 Sep 2007 15:35:53 -0500 (CDT)
Message-ID: <46E064A9.7000504@anl.gov>
Date: Thu, 06 Sep 2007 15:35:53 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Tom Scavo <trscavo@gmail.com>
Subject: Re: [KAML] Re: Chicago bar-BOF summary
References: <46DE5CC1.10204@it.su.se> <8158D751-0EE0-4D58-81DB-549C4A413B68@jpl.nasa.gov> <ea2af9bd0709061303x356b65b9je237294f93de4c0e@mail.gmail.com>
In-Reply-To: <ea2af9bd0709061303x356b65b9je237294f93de4c0e@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc: kaml@ietf.org
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Errors-To: kaml-bounces@ietf.org


Tom Scavo wrote:
> On 9/6/07, Henry B. Hotz <hotz@jpl.nasa.gov> wrote:
>> Or do we just start discussing how to put SAML tokens into the
>> authorization data field and what constraints we impose on how the
>> tokens are encrypted/validated.
> 
> FWIW, we are embedding SAML assertions in short-lived X.509
> certificates 

So you are talking RFC3820 proxy certificates?

> and using the latter as decorated authentication tokens
> in grids.   The SAML assertions (not responses or other SAML protocol
> constructs) contain authentication and attribute information used for
> access control purposes. A big advantage of this approach (we think)
> is that the SAML goes along for the ride regardless of how the X.509
> certificate is presented to the relying party, either TLS or some
> message-level protocol such as WS-Security X.509 Token Profile.

One problem is that PKINIT today does use any of these assertions
when issuing a TGT, and does not forward these assertions in the TGT.
Thus my suggestion of passing the cert and chain in the TGT.

Now if SAML processing is added to the KDC, maybe it should pass
along any SAML assertions found in the cert cert chain rather then
the full cert.

> 
> Use cases are varied.  The presenter may be the subject or an entity
> (such as a portal) acting on behalf of the subject.  The SAML
> assertion may be issued by the same entity that issued the X.509
> certificate (in which case the requirements on the SAML assertion are
> minimal) or by some third party (in which case the assertion is a
> signed, standalone token).
> 
> Tom Scavo
> NCSA
> 
> _______________________________________________
> KAML mailing list
> KAML@ietf.org
> https://www1.ietf.org/mailman/listinfo/kaml
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

_______________________________________________
KAML mailing list
KAML@ietf.org
https://www1.ietf.org/mailman/listinfo/kaml