Re: [KAML] latest status

"Josh Howlett" <> Tue, 03 November 2009 16:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 67F923A67D8 for <>; Tue, 3 Nov 2009 08:01:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_27=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id s7EFNQsR6tsP for <>; Tue, 3 Nov 2009 08:01:44 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 8971D28C0EA for <>; Tue, 3 Nov 2009 08:01:44 -0800 (PST)
Received: from (localhost.localdomain []) by localhost (Email Security Appliance) with SMTP id 4CB914A6B68_AF053FAB; Tue, 3 Nov 2009 16:02:02 +0000 (GMT)
Received: from ( []) by (Sophos Email Appliance) with ESMTP id 27E1F4A6B6B_AF053F2F; Tue, 3 Nov 2009 16:01:54 +0000 (GMT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 3 Nov 2009 16:02:31 -0000
Message-ID: <>
In-Reply-To: <009701ca5767$20f22ab0$62d68010$>
Thread-Topic: [KAML] latest status
Thread-Index: AcpXZpToYHFh0KDxSeKBgS0S35VeigAAE9+gAU2WttA=
References: <><><><> <009701ca5767$20f22ab0$62d68010$>
From: "Josh Howlett" <>
To: "Scott Cantor" <>, "Henry B. Hotz" <>, "Luke Howard" <lukeh@PADL.COM>
Cc: Josh Howlett <>,, Stephen C Buckley <sbuckley@MIT.EDU>
Subject: Re: [KAML] latest status
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Nov 2009 16:01:45 -0000

> but there are 
> other missing pieces, some of which Josh Howlett and Thomas 
> Hardjono have been proposing to the OASIS TC, such as 
> representing tickets as a new subject confirmation method and 
> expressing principal and service names within ds:KeyInfo.


 - Kerberos Subject Confirmation Method: to allow a relying party to
confirm an attesting party using Kerberos.
 - Kerberos Attribute Profile: primarily, to enable a SAML requestor to
obtain a Kerberos AP-REQ for named user and service principals.
 - Kerberos Web Browser SSO Profile: primarily, to profile the use of
the Kerberos Subject Confirmation Method within the Web SSO Profile.

The primary use-cases are:
 - to improve the usability and level of assurance in the security
context of a Web SSO session.
 - to provide Kerberos-based evidence for AuthZ decisions, for the
single and n-tier cases (including web services).
 - to establish Kerberos-based trust between SAML entities, rather than
the more typical use of PKI.


JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG