RE: [KAML] Chicago bar-BOF summary

"Josh Howlett" <Josh.Howlett@ja.net> Wed, 29 August 2007 07:23 UTC

Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IQHte-0004WZ-B1; Wed, 29 Aug 2007 03:23:26 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IQHtd-0004T0-9H for kaml@ietf.org; Wed, 29 Aug 2007 03:23:25 -0400
Received: from umhost1.ukerna.ac.uk ([193.62.83.67]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IQHta-0007Qp-VG for kaml@ietf.org; Wed, 29 Aug 2007 03:23:25 -0400
Received: from uxsrvr20.ukerna.ac.uk ([193.62.83.209] helo=uxsrvr20.atlas.ukerna.ac.uk) by umhost1.ukerna.ac.uk with esmtp (Exim 4.50) id 1IQHtZ-0005xU-T6; Wed, 29 Aug 2007 08:23:21 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [KAML] Chicago bar-BOF summary
Date: Wed, 29 Aug 2007 08:22:35 +0100
Message-ID: <6ED388AA006C454BA35B0098396B9BFB028F553C@uxsrvr20.atlas.ukerna.ac.uk>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [KAML] Chicago bar-BOF summary
Thread-Index: Acfohj+lDOftCYMrRsqmJvAOv9WsngBgxwAg
From: "Josh Howlett" <Josh.Howlett@ja.net>
To: "Leif Johansson" <leifj@it.su.se>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Cc: Josh Howlett <Josh.Howlett@ja.net>, kaml@ietf.org
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Errors-To: kaml-bounces@ietf.org

Leif Johansson wrote:
> Josh Howlett wrote:
> > I'm curious whether we can use SAML, and the trust fabrics that are
> > realised through SAML federation metadata, to support some kind of
> > cross-realm Kerberos operation - perhaps using a SAML-based 
> profile for
> > inter-KDC communication (following PKCROSS' example)?
> >
> > The use-case would be a visitor requiring access to some local
> > Kerberos-protected network resource, but no local credentials.
> >   
> Did you read draft-sakane-krb-cross-problem-statement? It looks
> like you may be describing something related to 5.6 (in version 03)

Not quite - I'm assuming that the user has contacted his KDC. A better
description is 5.3 'Scalability of the direct trust model'.

> > However, such a profile might also provide a way to avoid 
> using the Web
> > SSO Profile (in a browser context, obviously) and therefore 
> side-step
> > the associated IdP "discovery problem". The browser could 
> authenticate
> > using Negotiate (anonymously/pseudonymously) to the SP; 
> authorisation
> > could subsequently be performed using the familiar SAML-based
> > mechanisms; perhaps boot-strapped through an artifact 
> returned in the
> > PAC (which is used as the discovery 'cue').
> >
> > best regards, josh.
> >   
> I guess its not so much side-stepping IdP discovery as it is using
> the IdP discovery which has already happened.

Yes, that's a better description.

FWIW, I think this is just a generalisation of the "WebSSO kerberos
n-tier problem" in a cross-realm context. Does that make sense? :-)

josh.

_______________________________________________
KAML mailing list
KAML@ietf.org
https://www1.ietf.org/mailman/listinfo/kaml