RE: [KAML] Chicago bar-BOF summary

"Josh Howlett" <Josh.Howlett@ja.net> Fri, 24 August 2007 11:00 UTC

Return-path: <kaml-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IOWtg-0000Sd-9J; Fri, 24 Aug 2007 07:00:12 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IOWtf-0000SN-G5 for kaml@ietf.org; Fri, 24 Aug 2007 07:00:11 -0400
Received: from umhost1.ukerna.ac.uk ([193.62.83.67]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IOWte-0007kJ-VO for kaml@ietf.org; Fri, 24 Aug 2007 07:00:11 -0400
Received: from uxsrvr20.ukerna.ac.uk ([193.62.83.209] helo=uxsrvr20.atlas.ukerna.ac.uk) by umhost1.ukerna.ac.uk with esmtp (Exim 4.50) id 1IOWtY-0004LD-Lw; Fri, 24 Aug 2007 12:00:04 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [KAML] Chicago bar-BOF summary
Date: Fri, 24 Aug 2007 11:59:56 +0100
Message-ID: <6ED388AA006C454BA35B0098396B9BFB028F5423@uxsrvr20.atlas.ukerna.ac.uk>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [KAML] Chicago bar-BOF summary
Thread-Index: Acfk+KQUdsMM3V+PROWEr5ye/tNYZwBQDVPQ
From: "Josh Howlett" <Josh.Howlett@ja.net>
To: "Leif Johansson" <leifj@it.su.se>, <kaml@ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Cc: Josh Howlett <Josh.Howlett@ja.net>
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
Errors-To: kaml-bounces@ietf.org

> The use-cases:
> 
> 1. Was a smart-card used?

Just to clarify; is this use-case describing 1) "LoA" for Kerberos or 2)
extending SAML LoA to permit richer expressions?
 
> 2. The standarized PAC
> 
> An AD domain controller includes data about the groups a user 
> is a member of in the PA-DATA field of the KDC-REP. A 
> generalization of this concept might be to include a SAML 
> authentication response in the PA-DATA.

...presumably this could be further generalised to allow assertions in
general, or even lower-level constructs such as an artifact (pointing to
an assertion)?

> Hope this is enough to get things started. I know the
> smart-card use- case was discussed on the heimdal 
> list (although possibly not in the generality I 
> presented above). Other use-cases have been discussed
> on other lists.

I'm curious whether we can use SAML, and the trust fabrics that are
realised through SAML federation metadata, to support some kind of
cross-realm Kerberos operation - perhaps using a SAML-based profile for
inter-KDC communication (following PKCROSS' example)?

The use-case would be a visitor requiring access to some local
Kerberos-protected network resource, but no local credentials.

However, such a profile might also provide a way to avoid using the Web
SSO Profile (in a browser context, obviously) and therefore side-step
the associated IdP "discovery problem". The browser could authenticate
using Negotiate (anonymously/pseudonymously) to the SP; authorisation
could subsequently be performed using the familiar SAML-based
mechanisms; perhaps boot-strapped through an artifact returned in the
PAC (which is used as the discovery 'cue').

best regards, josh.

_______________________________________________
KAML mailing list
KAML@ietf.org
https://www1.ietf.org/mailman/listinfo/kaml