Re: [KAML] Re: Chicago bar-BOF summary
"Tom Scavo" <trscavo@gmail.com> Thu, 06 September 2007 20:56 UTC
Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITOP5-0006SK-E5; Thu, 06 Sep 2007 16:56:43 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ITOP5-0006SE-1a for kaml@ietf.org; Thu, 06 Sep 2007 16:56:43 -0400
Received: from hu-out-0506.google.com ([72.14.214.232]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ITOP3-0003KO-Qi for kaml@ietf.org; Thu, 06 Sep 2007 16:56:43 -0400
Received: by hu-out-0506.google.com with SMTP id 31so81338huc for <kaml@ietf.org>; Thu, 06 Sep 2007 13:56:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=oX61wS/C9t6Wun7HuOoCQpge/EsD2VJ8IZhdR7EwXQw=; b=e2g2bvtY9EYxnyIUHMxWKC3+K5NObThV+zX7wUhacZ/uVnrbMiOp5zyW7cWWQFC6GEIsr6odDA+YKptEX6jRCNqfNkVJLj02dHMOayHZr70rYUd7+gNCMOo+LRs6iduivo122///HdKWvygC7wJawS46w+tTJPNJfu2UeHVPHCE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bqcF9WwQpYjZPRqVnHc+hLI/+0aKfTDXQxC+h881FOLikh8zFzVMKfaenyBM6xkg89IxwdDlrVDMETdAvQY9OXPKA3B90mgx7xPqvVithrcUMDVKuKGBiv7IAUCmznxf89kLcsUKMY/uF43NrIMLGp9qCB9XvISAzMHqfbLD4qM=
Received: by 10.82.189.6 with SMTP id m6mr1646960buf.1189112200921; Thu, 06 Sep 2007 13:56:40 -0700 (PDT)
Received: by 10.82.186.14 with HTTP; Thu, 6 Sep 2007 13:56:40 -0700 (PDT)
Message-ID: <ea2af9bd0709061356l2c60e65la0f4d02334cc4205@mail.gmail.com>
Date: Thu, 06 Sep 2007 16:56:40 -0400
From: Tom Scavo <trscavo@gmail.com>
To: "Douglas E. Engert" <deengert@anl.gov>
Subject: Re: [KAML] Re: Chicago bar-BOF summary
In-Reply-To: <46E064A9.7000504@anl.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <46DE5CC1.10204@it.su.se> <8158D751-0EE0-4D58-81DB-549C4A413B68@jpl.nasa.gov> <ea2af9bd0709061303x356b65b9je237294f93de4c0e@mail.gmail.com> <46E064A9.7000504@anl.gov>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
Cc: kaml@ietf.org
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Errors-To: kaml-bounces@ietf.org
On 9/6/07, Douglas E. Engert <deengert@anl.gov> wrote: > Tom Scavo wrote: > > > > FWIW, we are embedding SAML assertions in short-lived X.509 > > certificates > > So you are talking RFC3820 proxy certificates? Yes, we have a tool that issues a proxy certificate with a SAML assertion bound to a non-critical certificate extension. We also have an online CA that issues short-lived end entity certificates with a similar extension. > One problem is that PKINIT today does use any of these assertions > when issuing a TGT, and does not forward these assertions in the TGT. > Thus my suggestion of passing the cert and chain in the TGT. > > Now if SAML processing is added to the KDC, maybe it should pass > along any SAML assertions found in the cert cert chain rather then > the full cert. Again, just to illustrate our particular use of SAML, the relying party traverses the certificate chain up to the first non-impersonation proxy (which in practice is usually the EEC) and consumes any and all bound SAML assertions. So multiple assertions may be involved, from multiple SAML issuers. Tom Scavo NCSA _______________________________________________ KAML mailing list KAML@ietf.org https://www1.ietf.org/mailman/listinfo/kaml
- Re: [KAML] Chicago bar-BOF summary Leif Johansson
- [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- [KAML] Chicago bar-BOF summary Leif Johansson
- RE: [KAML] Chicago bar-BOF summary Josh Howlett
- Re: [KAML] Chicago bar-BOF summary Leif Johansson
- RE: [KAML] Chicago bar-BOF summary Josh Howlett
- Re: [KAML] Re: Chicago bar-BOF summary Tom Scavo
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Tom Scavo
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- RE: [KAML] Re: Chicago bar-BOF summary Taylor, Dennis C. (GSFC-720.0)[INDUS]
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Scott Cantor
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- RE: [KAML] Re: Chicago bar-BOF summary Scott Cantor
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert