Re: [KAML] Re: Chicago bar-BOF summary
"Douglas E. Engert" <deengert@anl.gov> Thu, 06 September 2007 22:33 UTC
Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITPuJ-0000Lh-1w; Thu, 06 Sep 2007 18:33:03 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITPuI-0000LP-AZ for kaml@ietf.org; Thu, 06 Sep 2007 18:33:02 -0400
Received: from mailhost.anl.gov ([130.202.113.50]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1ITPuH-0001nZ-TC for kaml@ietf.org; Thu, 06 Sep 2007 18:33:02 -0400
Received: from mailhost.anl.gov (localhost [127.0.0.1]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 971F73E; Thu, 6 Sep 2007 17:33:01 -0500 (CDT)
Received: from [127.0.0.1] (atalanta.it.anl.gov [146.137.96.104]) by mailhost.anl.gov (Postfix) with ESMTP id 7C2743D; Thu, 6 Sep 2007 17:33:01 -0500 (CDT)
Message-ID: <46E0801D.20700@anl.gov>
Date: Thu, 06 Sep 2007 17:33:01 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Tom Scavo <trscavo@gmail.com>
Subject: Re: [KAML] Re: Chicago bar-BOF summary
References: <46DE5CC1.10204@it.su.se> <8158D751-0EE0-4D58-81DB-549C4A413B68@jpl.nasa.gov> <ea2af9bd0709061303x356b65b9je237294f93de4c0e@mail.gmail.com> <46E064A9.7000504@anl.gov> <ea2af9bd0709061356l2c60e65la0f4d02334cc4205@mail.gmail.com>
In-Reply-To: <ea2af9bd0709061356l2c60e65la0f4d02334cc4205@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d8ae4fd88fcaf47c1a71c804d04f413d
Cc: kaml@ietf.org
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Errors-To: kaml-bounces@ietf.org
Tom Scavo wrote: > On 9/6/07, Douglas E. Engert <deengert@anl.gov> wrote: >> Tom Scavo wrote: >>> FWIW, we are embedding SAML assertions in short-lived X.509 >>> certificates >> So you are talking RFC3820 proxy certificates? > > Yes, we have a tool that issues a proxy certificate with a SAML > assertion bound to a non-critical certificate extension. We also have > an online CA that issues short-lived end entity certificates with a > similar extension. > >> One problem is that PKINIT today does use any of these assertions >> when issuing a TGT, and does not forward these assertions in the TGT. >> Thus my suggestion of passing the cert and chain in the TGT. >> >> Now if SAML processing is added to the KDC, maybe it should pass >> along any SAML assertions found in the cert cert chain rather then >> the full cert. > > Again, just to illustrate our particular use of SAML, the relying > party traverses the certificate chain up to the first > non-impersonation proxy (which in practice is usually the EEC) and > consumes any and all bound SAML assertions. So multiple assertions > may be involved, from multiple SAML issuers. One of my concerns with Kerberos in the middle; who is the relying party? Is it the KDC or is it the service for which a service ticket I would argue that in the user's view point it is the service. Today the KDC has ignored any assertions in the cert (or cert chain if it supports it at all) and has not passed any of this along to the service. There are at least two ways to pass this along: (1) Pass the cert and chain, then the service can make its own authorization decisions, (2) have the KDC find these assertions in the certs and pass them along in some new SAML. (1) is all but transparent to the KDC, and does not require it to understand any SAML or any of the asertions, and does not lose any information, in that is is passing on *ALL* the information it got including non-SAML information in the certs. (2) requires the KDC to parse the certs,and repackage the assertions. and it may lose other valuable information in the certs. Ticket size might be smaller in (1)the in (2) KDC are for authentication, they are not expected to do authorization but may add information to allow the service to do the authorization, therefore I favor (1) over (2). > > Tom Scavo > NCSA > > -- Douglas E. Engert <DEEngert@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ KAML mailing list KAML@ietf.org https://www1.ietf.org/mailman/listinfo/kaml
- Re: [KAML] Chicago bar-BOF summary Leif Johansson
- [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- [KAML] Chicago bar-BOF summary Leif Johansson
- RE: [KAML] Chicago bar-BOF summary Josh Howlett
- Re: [KAML] Chicago bar-BOF summary Leif Johansson
- RE: [KAML] Chicago bar-BOF summary Josh Howlett
- Re: [KAML] Re: Chicago bar-BOF summary Tom Scavo
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Tom Scavo
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- RE: [KAML] Re: Chicago bar-BOF summary Taylor, Dennis C. (GSFC-720.0)[INDUS]
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Scott Cantor
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- RE: [KAML] Re: Chicago bar-BOF summary Scott Cantor
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert