Re: [KAML] LoA proposal

"Henry B. Hotz" <> Wed, 19 September 2007 19:04 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1IY4r3-0002zh-1h; Wed, 19 Sep 2007 15:04:57 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1IY4r1-0002zX-BI for; Wed, 19 Sep 2007 15:04:55 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1IY4qv-0002tR-Pu for; Wed, 19 Sep 2007 15:04:55 -0400
Received: from ( []) by (Switch-3.2.6/Switch-3.2.6) with ESMTP id l8JJ4LOG028941; Wed, 19 Sep 2007 12:04:22 -0700
Received: from [] ( []) by (Switch-3.2.6/Switch-3.2.6) with ESMTP id l8JJ4IfT018340; Wed, 19 Sep 2007 12:04:20 -0700
In-Reply-To: <>
References: <>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=WINDOWS-1252; delsp=yes; format=flowed
Message-Id: <>
Content-Transfer-Encoding: quoted-printable
From: "Henry B. Hotz" <>
Subject: Re: [KAML] LoA proposal
Date: Wed, 19 Sep 2007 12:04:08 -0700
To: Paul Rabinovich <>
X-Mailer: Apple Mail (2.752.3)
X-Source-IP: []
X-AUTH: Authorized
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 32b73d73e8047ed17386f9799119ce43
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Not sure there isn't a bit of scope creep in the proposal.  Seems to  
me the scope is providing authorization information based on how the  
original authentication was done, not to define new authentication  
mechanisms per-se.  We need to be careful what we say about OTP and  
SAML authentication in the absence of approved RFC's or other standards.

I think we can "agree to disagree" on what what kind of authorization  
information is needed/appropriate based on prior discussion.  Let me  
suggest a different organization;  we should define two kinds of  

1) RAW information, which provides details about how the original  
authentication was done.

2) EVALUATED information, which provides a policy judgement about the  
quality/strength/implications of the authentication method.

Examples of RAW information would be the kind of OTP token used, or  
the cert (and/or cert path) for a PKINIT authentication.  If a SAML  
token caused the ticket to be issued then that SAML token might be  

Examples of EVALUATED information would be a SAML token asserting the  
SP800-63 LoA of the authentication, or the PAC data defined by  
Microsoft.  DCE authorization info probably also qualifies (just to  
keep an ASN1-encoded type in the mix).

All of the above are optional, based on local policy requirements.   
Any/all of the above examples MUST be includable without conflict.   
Not that it would have been a problem, but the above clearly  
distinguishes whether a SAML token generated the authentication, or  
the authentication generated the SAML token, and both SAML tokens  
might be included.

I'd propose that the EVALUATED information gets included/excluded  
based on the same mechanism used by Microsoft to include/exclude the  
PAC.  I'd propose the RAW data is excluded by default, but included  
if requested by some other mechanism.

On Sep 19, 2007, at 7:55 AM, Paul Rabinovich wrote:

> 	Hello,
> 	In the attached document I attempted to summarize LoA-related  
> traffic in this and krb lists and to sketch a proposal. From Sam's  
> e-mail it looks like we need to produce an I-D by Oct 1. I'll start  
> right away on putting the proposal in the attached document into  
> the I-D format, and will send it out in the next couple of days.


> 11. The “simple” profile will support forwarding of authentication  
> info defined as a CHOICE:
> -       User ID/password: an ENUM or OCTET STRING saying “user ID/ 
> password”.
> -       X.509 certification path: an ENUM or OCTET STRING saying “X. 
> 509 path” plus a SEQUENCE/SET of certificates.
> -       X.509 end-entity certificate only: an ENUM or OCTET STRING  
> saying “X.509 single cert” plus the certificate.I'd vote for an  
> ENUM on space efficiency grounds.

I'd vote for ENUM on space efficiency grounds.
> -       OTP: an ENUM or OCTET STRING saying “OTP” (QUESTION: are  
> there any important flavors/subdivisions?)
Take a look at section 5.1.1 of draft-ietf-krb-wg-kerberos-sam-03.txt.
> -       QUESTION: Is multifactor authentication of interest?
Absolutely.  If nothing else the use of multifactor authentication is  
needed for the higher levels in SP800-63, so it's already implied.   
Do we need to explicitly define a way to carry the number of factors  
used in the original authentication?  I don't think so, but I may be  
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government., or

KAML mailing list