Re: [KAML] Re: Chicago bar-BOF summary
Gerald Beuchelt <beuchelt@sun.com> Thu, 13 September 2007 19:32 UTC
Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVuQN-0006j4-Fa; Thu, 13 Sep 2007 15:32:27 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVuQM-0006iv-1l for kaml@ietf.org; Thu, 13 Sep 2007 15:32:26 -0400
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IVuQK-0001Fp-C5 for kaml@ietf.org; Thu, 13 Sep 2007 15:32:25 -0400
Received: from fe-amer-10.sun.com ([192.18.109.80]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l8DJWND2021833 for <kaml@ietf.org>; Thu, 13 Sep 2007 19:32:23 GMT
Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) id <0JOB00I01NBO2400@mail-amer.sun.com> (original mail from beuchelt@sun.com) for kaml@ietf.org; Thu, 13 Sep 2007 13:32:23 -0600 (MDT)
Received: from [129.148.176.198] by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTPSA id <0JOB00LRUNLNAM20@mail-amer.sun.com>; Thu, 13 Sep 2007 13:32:12 -0600 (MDT)
Date: Thu, 13 Sep 2007 15:32:46 -0400
From: Gerald Beuchelt <beuchelt@sun.com>
Subject: Re: [KAML] Re: Chicago bar-BOF summary
In-reply-to: <C5437591-6811-4087-9C89-D7959A6872D4@jpl.nasa.gov>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Message-id: <46E9905E.3040404@sun.com>
Organization: Sun Microsystems, Inc.
MIME-version: 1.0
References: <46DE5CC1.10204@it.su.se> <8158D751-0EE0-4D58-81DB-549C4A413B68@jpl.nasa.gov> <9B9324ACE4CA354EAF122E7D0E0673B64BDF23@NDMSEVS22.ndc.nasa.gov> <D80F0FFA-D9FF-48F1-B410-75078B40E8D7@jpl.nasa.gov> <46E1A274.1080600@anl.gov> <D208EBD0-1182-49C6-9A6F-B3210C4627E5@jpl.nasa.gov> <46E79162.2010402@it.su.se> <C5437591-6811-4087-9C89-D7959A6872D4@jpl.nasa.gov>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a1f9797ba297220533cb8c3f4bc709a8
Cc: "Taylor, Dennis C. (GSFC-720.0)[INDUS]" <Dennis.C.Taylor@nasa.gov>, kaml@ietf.org
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1400395595=="
Errors-To: kaml-bounces@ietf.org
Yes, this has been out for a while. If I remember correctly, they even posted a document that describes all the holes in the PAC that were not covered by this article or the old (expired) draft. <snip> PAC Credential Information (PAC_LOGON_INFO) PAC_INFO_BUFFERs of type PAC_LOGON_INFO contain the credential information for the client of the Kerberos ticket. The data itself is contained in a KERB_VALIDATION_INFO structure, which is NDR encoded. The output of the NDR encoding is placed in the PAC_INFO_BUFFER structure of type PAC_LOGON_INFO. typedef struct _KERB_VALIDATION_INFO { FILETIME Reserved0; FILETIME Reserved1; FILETIME KickOffTime; FILETIME Reserved2; FILETIME Reserved3; FILETIME Reserved4; UNICODE_STRING Reserved5; UNICODE_STRING Reserved6; UNICODE_STRING Reserved7; UNICODE_STRING Reserved8; UNICODE_STRING Reserved9; UNICODE_STRING Reserved10; USHORT Reserved11; USHORT Reserved12; ULONG UserId; ULONG PrimaryGroupId; ULONG GroupCount; [size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds; ULONG UserFlags; ULONG Reserved13[4]; UNICODE_STRING Reserved14; UNICODE_STRING Reserved15; PSID LogonDomainId; ULONG Reserved16[2]; ULONG Reserved17; ULONG Reserved18[7]; ULONG SidCount; [size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids; PSID ResourceGroupDomainSid; ULONG ResourceGroupCount; [size_is(ResourceGroupCount)] PGROUP_MEMBERSHIP ResourceGroupIds; } KERB_VALIDATION_INFO; Reserved fields are not defined in this document and are not used in the construction of access control tokens. </snip> However, note that there is no patent covenant or even simple licensing terms for the backend infrastructure, so while implementing these data structures might be covered *to the extend that they are documented here), the necessary backend infrastructure might require additional licensing and royalties. Best, Gerald Henry B. Hotz wrote: > Jeffrey Altman just posted a link on the krbdev list. I guess it's no > longer even nominally proprietary. > > http://msdn.microsoft.com/library/en-us/dnkerb/html/MSDN_PAC.asp > > On Sep 12, 2007, at 12:12 AM, Leif Johansson wrote: > >> >>> >>> I would be happier with this solution if the PAC format were at least >>> an informational RFC. The format is now well known and widely >>> implemented, but AFAIK the description document isn't available >>> without all the old warnings. People have also found in practice that >>> the PAC scales to an unpleasant size in many real deployments. >> >> What we are trying to do here is probably a bit more general than PAC >> which afaik contains information about group membership. By >> comparison a SAML attribute assertion is far more portable, based on >> published standards and equiped with more expressive power. In >> addition SAML is a very short stretch for MSFT to implement at least >> technically. >> >> Cheers Leif > > ------------------------------------------------------------------------ > The opinions expressed in this message are mine, > not those of Caltech, JPL, NASA, or the US Government. > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu > > > > _______________________________________________ > KAML mailing list > KAML@ietf.org > https://www1.ietf.org/mailman/listinfo/kaml
_______________________________________________ KAML mailing list KAML@ietf.org https://www1.ietf.org/mailman/listinfo/kaml
- Re: [KAML] Chicago bar-BOF summary Leif Johansson
- [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- [KAML] Chicago bar-BOF summary Leif Johansson
- RE: [KAML] Chicago bar-BOF summary Josh Howlett
- Re: [KAML] Chicago bar-BOF summary Leif Johansson
- RE: [KAML] Chicago bar-BOF summary Josh Howlett
- Re: [KAML] Re: Chicago bar-BOF summary Tom Scavo
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Tom Scavo
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- RE: [KAML] Re: Chicago bar-BOF summary Taylor, Dennis C. (GSFC-720.0)[INDUS]
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Scott Cantor
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- RE: [KAML] Re: Chicago bar-BOF summary Scott Cantor
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Leif Johansson
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert
- Re: [KAML] Re: Chicago bar-BOF summary Henry B. Hotz
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Gerald Beuchelt
- Re: [KAML] Re: Chicago bar-BOF summary Douglas E. Engert