Re: [KAML] Re: Chicago bar-BOF summary

Gerald Beuchelt <beuchelt@sun.com> Thu, 13 September 2007 19:32 UTC

Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVuQN-0006j4-Fa; Thu, 13 Sep 2007 15:32:27 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IVuQM-0006iv-1l for kaml@ietf.org; Thu, 13 Sep 2007 15:32:26 -0400
Received: from brmea-mail-3.sun.com ([192.18.98.34]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IVuQK-0001Fp-C5 for kaml@ietf.org; Thu, 13 Sep 2007 15:32:25 -0400
Received: from fe-amer-10.sun.com ([192.18.109.80]) by brmea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id l8DJWND2021833 for <kaml@ietf.org>; Thu, 13 Sep 2007 19:32:23 GMT
Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) id <0JOB00I01NBO2400@mail-amer.sun.com> (original mail from beuchelt@sun.com) for kaml@ietf.org; Thu, 13 Sep 2007 13:32:23 -0600 (MDT)
Received: from [129.148.176.198] by mail-amer.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTPSA id <0JOB00LRUNLNAM20@mail-amer.sun.com>; Thu, 13 Sep 2007 13:32:12 -0600 (MDT)
Date: Thu, 13 Sep 2007 15:32:46 -0400
From: Gerald Beuchelt <beuchelt@sun.com>
Subject: Re: [KAML] Re: Chicago bar-BOF summary
In-reply-to: <C5437591-6811-4087-9C89-D7959A6872D4@jpl.nasa.gov>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Message-id: <46E9905E.3040404@sun.com>
Organization: Sun Microsystems, Inc.
MIME-version: 1.0
References: <46DE5CC1.10204@it.su.se> <8158D751-0EE0-4D58-81DB-549C4A413B68@jpl.nasa.gov> <9B9324ACE4CA354EAF122E7D0E0673B64BDF23@NDMSEVS22.ndc.nasa.gov> <D80F0FFA-D9FF-48F1-B410-75078B40E8D7@jpl.nasa.gov> <46E1A274.1080600@anl.gov> <D208EBD0-1182-49C6-9A6F-B3210C4627E5@jpl.nasa.gov> <46E79162.2010402@it.su.se> <C5437591-6811-4087-9C89-D7959A6872D4@jpl.nasa.gov>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a1f9797ba297220533cb8c3f4bc709a8
Cc: "Taylor, Dennis C. \(GSFC-720.0\)\[INDUS\]" <Dennis.C.Taylor@nasa.gov>, kaml@ietf.org
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1400395595=="
Errors-To: kaml-bounces@ietf.org

Yes, this has been out for a while. If I remember correctly, they even 
posted a document that describes all the holes in the PAC that were not 
covered by this article or the old (expired) draft.

<snip>


        PAC Credential Information (PAC_LOGON_INFO)

    PAC_INFO_BUFFERs of type PAC_LOGON_INFO contain the credential
    information for the client of the Kerberos ticket. The data itself
    is contained in a KERB_VALIDATION_INFO structure, which is NDR
    encoded. The output of the NDR encoding is placed in the
    PAC_INFO_BUFFER structure of type PAC_LOGON_INFO.

    typedef struct _KERB_VALIDATION_INFO {
        FILETIME Reserved0;
        FILETIME Reserved1;
        FILETIME KickOffTime;
        FILETIME Reserved2;
        FILETIME Reserved3;
        FILETIME Reserved4;
        UNICODE_STRING Reserved5;
        UNICODE_STRING Reserved6;
        UNICODE_STRING Reserved7;
        UNICODE_STRING Reserved8;
        UNICODE_STRING Reserved9;
        UNICODE_STRING Reserved10;
        USHORT Reserved11;
        USHORT Reserved12;
        ULONG UserId;
        ULONG PrimaryGroupId;
        ULONG GroupCount;
        [size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
        ULONG UserFlags;
        ULONG Reserved13[4];
        UNICODE_STRING Reserved14;
        UNICODE_STRING Reserved15;
        PSID LogonDomainId;
        ULONG Reserved16[2];
        ULONG Reserved17;
        ULONG Reserved18[7];
        ULONG SidCount;
        [size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
        PSID ResourceGroupDomainSid;
        ULONG ResourceGroupCount;
        [size_is(ResourceGroupCount)] PGROUP_MEMBERSHIP ResourceGroupIds;
    } KERB_VALIDATION_INFO;
      

    Reserved fields are not defined in this document and are not used in
    the construction of access control tokens.

</snip>

However, note that there is no patent covenant or even simple licensing 
terms for the backend infrastructure, so while implementing these data 
structures might be covered *to the extend that they are documented 
here), the necessary backend infrastructure might require additional 
licensing and royalties.

Best,

Gerald

Henry B. Hotz wrote:
> Jeffrey Altman just posted a link on the krbdev list.  I guess it's no 
> longer even nominally proprietary.
>
> http://msdn.microsoft.com/library/en-us/dnkerb/html/MSDN_PAC.asp
>
> On Sep 12, 2007, at 12:12 AM, Leif Johansson wrote:
>
>>
>>>
>>> I would be happier with this solution if the PAC format were at least
>>> an informational RFC.  The format is now well known and widely
>>> implemented, but AFAIK the description document isn't available
>>> without all the old warnings.  People have also found in practice that
>>> the PAC scales to an unpleasant size in many real deployments.
>>
>> What we are trying to do here is probably a bit more general than PAC 
>> which afaik contains information about group membership. By 
>> comparison a SAML attribute assertion is far more portable, based on 
>> published standards and equiped with more expressive power. In 
>> addition SAML is a very short stretch for MSFT to implement at least 
>> technically.
>>
>>     Cheers Leif
>
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
>
>
> _______________________________________________
> KAML mailing list
> KAML@ietf.org
> https://www1.ietf.org/mailman/listinfo/kaml
_______________________________________________
KAML mailing list
KAML@ietf.org
https://www1.ietf.org/mailman/listinfo/kaml