Re: [KAML] Re: Chicago bar-BOF summary

Leif Johansson <> Fri, 07 September 2007 18:40 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1ITikM-0008O0-4J; Fri, 07 Sep 2007 14:40:02 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1ITikK-0008Nh-5W for; Fri, 07 Sep 2007 14:40:00 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1ITikJ-0004sf-PH for; Fri, 07 Sep 2007 14:40:00 -0400
Received: from localhost (localhost []) by (Postfix) with ESMTP id B05FB3BE6C; Fri, 7 Sep 2007 20:39:58 +0200 (CEST)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id 12290-01-3; Fri, 7 Sep 2007 20:39:58 +0200 (CEST)
Received: from [] ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTP id 2BD233BE61; Fri, 7 Sep 2007 20:39:57 +0200 (CEST)
Message-ID: <>
Date: Fri, 07 Sep 2007 20:40:25 +0200
From: Leif Johansson <>
User-Agent: Thunderbird (X11/20070824)
MIME-Version: 1.0
To: Scott Cantor <>
Subject: Re: [KAML] Re: Chicago bar-BOF summary
References: <> <> <> <> <> <> <> <014701c7f177$9f770c50$de6524f0$>
In-Reply-To: <014701c7f177$9f770c50$de6524f0$>
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Scanned: by amavisd-new at
X-Spam-Status: No, hits=-2.262 tagged_above=-99 required=7 tests=[AWL=0.050, BAYES_00=-2.312]
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8abaac9e10c826e8252866cbe6766464
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Scott Cantor wrote:
>> Is it conceivable that we could define a standards compliant SAML
>> token, that could be produced in XER, that would also be accepted
>> outside the Kerberos community?
> If by accepted you mean "usable with any existing SAML code", the answer is
> clearly no.
> -- Scott

I've talked to Love Hörnquist Åstrand (who can speak for himself
actually) - the heimdal lead - about SAML in the kdc (or any other
part of the code for that matter). He was mostly worried about
how the integration could happen safely. I think his position would
be similar to what a developer working on code never touched
by ASN.1 would be: this is a large piece of something I have no
control over and no way to audit.

So yes Scott, it is true that no SAML library supports XER out
of the box today but that is probably a minor problem compared
to figuring out how (say) something like heimdal could depend
on something like opensaml without creating an unmanageable

These are important things to figure out eventually but we
should probably keep the horse ahead of the cart for now and
concentrate on semantics.

    Cheers Leif

KAML mailing list