Re: [KAML] Re: Chicago bar-BOF summary

"Tom Scavo" <trscavo@gmail.com> Thu, 06 September 2007 20:56 UTC

Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITOP5-0006SK-E5; Thu, 06 Sep 2007 16:56:43 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITOP5-0006SE-1a for kaml@ietf.org; Thu, 06 Sep 2007 16:56:43 -0400
Received: from hu-out-0506.google.com ([72.14.214.232]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ITOP3-0003KO-Qi for kaml@ietf.org; Thu, 06 Sep 2007 16:56:43 -0400
Received: by hu-out-0506.google.com with SMTP id 31so81338huc for <kaml@ietf.org>; Thu, 06 Sep 2007 13:56:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=oX61wS/C9t6Wun7HuOoCQpge/EsD2VJ8IZhdR7EwXQw=; b=e2g2bvtY9EYxnyIUHMxWKC3+K5NObThV+zX7wUhacZ/uVnrbMiOp5zyW7cWWQFC6GEIsr6odDA+YKptEX6jRCNqfNkVJLj02dHMOayHZr70rYUd7+gNCMOo+LRs6iduivo122///HdKWvygC7wJawS46w+tTJPNJfu2UeHVPHCE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bqcF9WwQpYjZPRqVnHc+hLI/+0aKfTDXQxC+h881FOLikh8zFzVMKfaenyBM6xkg89IxwdDlrVDMETdAvQY9OXPKA3B90mgx7xPqvVithrcUMDVKuKGBiv7IAUCmznxf89kLcsUKMY/uF43NrIMLGp9qCB9XvISAzMHqfbLD4qM=
Received: by 10.82.189.6 with SMTP id m6mr1646960buf.1189112200921; Thu, 06 Sep 2007 13:56:40 -0700 (PDT)
Received: by 10.82.186.14 with HTTP; Thu, 6 Sep 2007 13:56:40 -0700 (PDT)
Message-ID: <ea2af9bd0709061356l2c60e65la0f4d02334cc4205@mail.gmail.com>
Date: Thu, 6 Sep 2007 16:56:40 -0400
From: "Tom Scavo" <trscavo@gmail.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Subject: Re: [KAML] Re: Chicago bar-BOF summary
In-Reply-To: <46E064A9.7000504@anl.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <46DE5CC1.10204@it.su.se> <8158D751-0EE0-4D58-81DB-549C4A413B68@jpl.nasa.gov> <ea2af9bd0709061303x356b65b9je237294f93de4c0e@mail.gmail.com> <46E064A9.7000504@anl.gov>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
Cc: kaml@ietf.org
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Errors-To: kaml-bounces@ietf.org

On 9/6/07, Douglas E. Engert <deengert@anl.gov> wrote:
> Tom Scavo wrote:
> >
> > FWIW, we are embedding SAML assertions in short-lived X.509
> > certificates
>
> So you are talking RFC3820 proxy certificates?

Yes, we have a tool that issues a proxy certificate with a SAML
assertion bound to a non-critical certificate extension.  We also have
an online CA that issues short-lived end entity certificates with a
similar extension.

> One problem is that PKINIT today does use any of these assertions
> when issuing a TGT, and does not forward these assertions in the TGT.
> Thus my suggestion of passing the cert and chain in the TGT.
>
> Now if SAML processing is added to the KDC, maybe it should pass
> along any SAML assertions found in the cert cert chain rather then
> the full cert.

Again, just to illustrate our particular use of SAML, the relying
party traverses the certificate chain up to the first
non-impersonation proxy (which in practice is usually the EEC) and
consumes any and all bound SAML assertions.  So multiple assertions
may be involved, from multiple SAML issuers.

Tom Scavo
NCSA

_______________________________________________
KAML mailing list
KAML@ietf.org
https://www1.ietf.org/mailman/listinfo/kaml