Re: [KAML] Re: Chicago bar-BOF summary
Gerald Beuchelt <beuchelt@sun.com> Thu, 13 September 2007 19:32 UTC
Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVuQN-0006j4-Fa; Thu, 13 Sep 2007 15:32:27 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVuQM-0006iv-1l for kaml@ietf.org; Thu, 13 Sep 2007 15:32:26 -0400
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IVuQK-0001Fp-C5 for kaml@ietf.org; Thu, 13 Sep 2007 15:32:25 -0400
Received: from fe-amer-10.sun.com ([192.18.109.80]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l8DJWND2021833 for <kaml@ietf.org>; Thu, 13 Sep 2007 19:32:23 GMT
Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) id <0JOB00I01NBO2400@mail-amer.sun.com> (original mail from beuchelt@sun.com) for kaml@ietf.org; Thu, 13 Sep 2007 13:32:23 -0600 (MDT)
Received: from [129.148.176.198] by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTPSA id <0JOB00LRUNLNAM20@mail-amer.sun.com>; Thu, 13 Sep 2007 13:32:12 -0600 (MDT)
Date: Thu, 13 Sep 2007 15:32:46 -0400
From: Gerald Beuchelt <beuchelt@sun.com>
Subject: Re: [KAML] Re: Chicago bar-BOF summary
In-reply-to: <C5437591-6811-4087-9C89-D7959A6872D4@jpl.nasa.gov>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Message-id: <46E9905E.3040404@sun.com>
Organization: Sun Microsystems, Inc.
MIME-version: 1.0
References: <46DE5CC1.10204@it.su.se> <8158D751-0EE0-4D58-81DB-549C4A413B68@jpl.nasa.gov> <9B9324ACE4CA354EAF122E7D0E0673B64BDF23@NDMSEVS22.ndc.nasa.gov> <D80F0FFA-D9FF-48F1-B410-75078B40E8D7@jpl.nasa.gov> <46E1A274.1080600@anl.gov> <D208EBD0-1182-49C6-9A6F-B3210C4627E5@jpl.nasa.gov> <46E79162.2010402@it.su.se> <C5437591-6811-4087-9C89-D7959A6872D4@jpl.nasa.gov>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a1f9797ba297220533cb8c3f4bc709a8
Cc: "Taylor, Dennis C. (GSFC-720.0)[INDUS]" <Dennis.C.Taylor@nasa.gov>, kaml@ietf.org
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1400395595=="
Errors-To: kaml-bounces@ietf.org
Yes, this has been out for a while. If I remember correctly, they even
posted a document that describes all the holes in the PAC that were not
covered by this article or the old (expired) draft.
<snip>
PAC Credential Information (PAC_LOGON_INFO)
PAC_INFO_BUFFERs of type PAC_LOGON_INFO contain the credential
information for the client of the Kerberos ticket. The data itself
is contained in a KERB_VALIDATION_INFO structure, which is NDR
encoded. The output of the NDR encoding is placed in the
PAC_INFO_BUFFER structure of type PAC_LOGON_INFO.
typedef struct _KERB_VALIDATION_INFO {
FILETIME Reserved0;
FILETIME Reserved1;
FILETIME KickOffTime;
FILETIME Reserved2;
FILETIME Reserved3;
FILETIME Reserved4;
UNICODE_STRING Reserved5;
UNICODE_STRING Reserved6;
UNICODE_STRING Reserved7;
UNICODE_STRING Reserved8;
UNICODE_STRING Reserved9;
UNICODE_STRING Reserved10;
USHORT Reserved11;
USHORT Reserved12;
ULONG UserId;
ULONG PrimaryGroupId;
ULONG GroupCount;
[size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
ULONG UserFlags;
ULONG Reserved13[4];
UNICODE_STRING Reserved14;
UNICODE_STRING Reserved15;
PSID LogonDomainId;
ULONG Reserved16[2];
ULONG Reserved17;
ULONG Reserved18[7];
ULONG SidCount;
[size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
PSID ResourceGroupDomainSid;
ULONG ResourceGroupCount;
[size_is(ResourceGroupCount)] PGROUP_MEMBERSHIP ResourceGroupIds;
} KERB_VALIDATION_INFO;
Reserved fields are not defined in this document and are not used in
the construction of access control tokens.
</snip>
However, note that there is no patent covenant or even simple licensing
terms for the backend infrastructure, so while implementing these data
structures might be covered *to the extend that they are documented
here), the necessary backend infrastructure might require additional
licensing and royalties.
Best,
Gerald
Henry B. Hotz wrote:
> Jeffrey Altman just posted a link on the krbdev list. I guess it's no
> longer even nominally proprietary.
>
> http://msdn.microsoft.com/library/en-us/dnkerb/html/MSDN_PAC.asp
>
> On Sep 12, 2007, at 12:12 AM, Leif Johansson wrote:
>
>>
>>>
>>> I would be happier with this solution if the PAC format were at least
>>> an informational RFC. The format is now well known and widely
>>> implemented, but AFAIK the description document isn't available
>>> without all the old warnings. People have also found in practice that
>>> the PAC scales to an unpleasant size in many real deployments.
>>
>> What we are trying to do here is probably a bit more general than PAC
>> which afaik contains information about group membership. By
>> comparison a SAML attribute assertion is far more portable, based on
>> published standards and equiped with more expressive power. In
>> addition SAML is a very short stretch for MSFT to implement at least
>> technically.
>>
>> Cheers Leif
>
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
>
>
> _______________________________________________
> KAML mailing list
> KAML@ietf.org
> https://www1.ietf.org/mailman/listinfo/kaml
_______________________________________________ KAML mailing list KAML@ietf.org https://www1.ietf.org/mailman/listinfo/kaml
- Re: [KAML] Chicago bar-BOF summary Leif Johansson
- [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- [KAML] Chicago bar-BOF summary Leif Johansson
- RE: [KAML] Chicago bar-BOF summary Josh Howlett
- Re: [KAML] Chicago bar-BOF summary Leif Johansson
- RE: [KAML] Chicago bar-BOF summary Josh Howlett
- Re: [KAML] Re: Chicago bar-BOF summary Tom Scavo
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Tom Scavo
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- RE: [KAML] Re: Chicago bar-BOF summary Taylor, Dennis C. (GSFC-720.0)[INDUS]
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Scott Cantor
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- RE: [KAML] Re: Chicago bar-BOF summary Scott Cantor
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert