Re: [KAML] Re: Chicago bar-BOF summary

Gerald Beuchelt <> Fri, 14 September 2007 12:34 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1IWANb-0002BM-Ip; Fri, 14 Sep 2007 08:34:39 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1IWANa-0002BG-Ms for; Fri, 14 Sep 2007 08:34:38 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1IWANZ-0003VJ-CN for; Fri, 14 Sep 2007 08:34:38 -0400
Received: from ([]) by (8.13.6+Sun/8.12.9) with ESMTP id l8ECYasY010081 for <>; Fri, 14 Sep 2007 12:34:36 GMT
Received: from by (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) id <> (original mail from for; Fri, 14 Sep 2007 06:34:36 -0600 (MDT)
Received: from [] ([]) by (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTPSA id <>; Fri, 14 Sep 2007 06:34:36 -0600 (MDT)
Date: Fri, 14 Sep 2007 08:34:28 -0400
From: Gerald Beuchelt <>
Subject: Re: [KAML] Re: Chicago bar-BOF summary
In-reply-to: <>
To: "Douglas E. Engert" <>
Message-id: <>
MIME-version: 1.0
Content-type: text/plain; format=flowed; charset=ISO-8859-1
Content-transfer-encoding: 7BIT
References: <> <> <> <> <> <> <> <> <> <> <> <>
User-Agent: Thunderbird (Windows/20070728)
X-Spam-Score: -1.0 (-)
X-Scan-Signature: fb6060cb60c0cea16e3f7219e40a0a81
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Douglas E. Engert wrote:
> Gerald Beuchelt wrote:
>> It is my understanding (and I am also no lawyer!) that the article by 
>> John Brezak carries a patent license regarding the actual content of 
>> the document itself.
>> Now, this document specifies the PAC for Windows 2000, with the 
>> exception of 18 reserved fields. What it also does not specify is any 
>> PAC changes in XP, 2003, Vista, or 2008. It also does not specify any 
>> backend infrastructure (e.g. discovery or resolution services, policy 
>> tools, or data storage, etc.) that might or might not be covered by 
>> patents or other intellectual property rights. Also, some of the 
>> default SIDs in the Windows implementation that are required for 
>> evaluating group membership (e.g. EVERYONE, etc.) are also not 
>> included in this document.
> There was also the IETF:
> draft-brezak-win2k-krb-authz-01.txt
> from October 2002, I still have a copy, but does not address XP, 2003
> or Vista.
> Samba has been working on using the PAC created by Windows, and trying
> to get XP to use a Samba/Heimdal created PAC. So they may have addressed
> a lot of these issues.
(Disclaimer: I have not been actively working on these subjects for a 
few years - please be patient with me and correct my failing memory :-))

The samba 3 domain model is distincly different from the AD/Windows 
200x  and NT4 domain models in that it is completely non-interoperable: 
you can not mix samba domain controllers into an AD or NT4 domain, or 
vice versa. The now-in-alpha samba 4 tries to address this - I will 
probably take a closer look at where they are at this point in time.

>> In addition, I do seem to remember that Microsoft at some time 
>> offered a complete description (purportedly including the 18 reserved 
>> fields) of the PAC that came with a license explicitly prohibiting 
>> implementation. Since I did not touch this document, I cannot speak 
>> to its actual content.
>> So, as I am not a lawyer, I am quite paranoid when it comes to other 
>> people's IPR and license terms. Therefore I am just cautioning the 
>> use of these specifications, since they are (i) old (Windows 2000), 
>> (ii) not peer-reviewed, and (iii) not published by an established 
>> standards organization with a clear IPR regime.
>> Sorry to be such a pain, but if the majority of this group is intend 
>> on pursuing the NT PAC path, I would suggest that someone approaches 
>> Microsoft to get clarification about the status of the spec.
> I don't think trying to add something to the Microsoft PAC is a good 
> idea.
> But if they add something "Level of assurance" to the PAC using it is
> another story.

> Adding another auth_data element of SAML does not require the 
> Microsoft PAC.
Assuming that Windows (and other Kerb implementations) ignore data after 
the PAC, yes?



KAML mailing list