Re: [KAML] latest status

Luke Howard <lukeh@padl.com> Sat, 19 September 2009 18:04 UTC

Return-Path: <lukeh@padl.com>
X-Original-To: kaml@core3.amsl.com
Delivered-To: kaml@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B579A3A6934 for <kaml@core3.amsl.com>; Sat, 19 Sep 2009 11:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.972
X-Spam-Level:
X-Spam-Status: No, score=-0.972 tagged_above=-999 required=5 tests=[AWL=-0.973, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id caRnirkx-yox for <kaml@core3.amsl.com>; Sat, 19 Sep 2009 11:04:42 -0700 (PDT)
Received: from us.padl.com (us.padl.com [216.154.215.154]) by core3.amsl.com (Postfix) with ESMTP id 92EBD3A689A for <kaml@ietf.org>; Sat, 19 Sep 2009 11:04:42 -0700 (PDT)
Received: by us.padl.com with ESMTP id n8JI59jF009392; Sat, 19 Sep 2009 14:05:13 -0400
Message-Id: <B4275EF3-278C-4CB0-875D-E284BCCF8C9D@padl.com>
From: Luke Howard <lukeh@padl.com>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <0AC447C8-C281-4432-BC43-93FD295B8FDC@jpl.nasa.gov>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sat, 19 Sep 2009 20:05:09 +0200
References: <46fc8a10909180713x3116deb5l2cfade36f6b85a2e@mail.gmail.com> <0AC447C8-C281-4432-BC43-93FD295B8FDC@jpl.nasa.gov>
X-Mailer: Apple Mail (2.936)
X-SMTP-Vilter-Version: 1.3.6
X-Spamd-Symbols: AWL,BAYES_00,RDNS_NONE
X-SMTP-Vilter-Spam-Backend: spamd
X-Spam-Threshold: 5.0
X-Spam-Probability: -0.4
Cc: kaml@ietf.org
Subject: Re: [KAML] latest status
X-BeenThere: kaml@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <kaml.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kaml>
List-Post: <mailto:kaml@ietf.org>
List-Help: <mailto:kaml-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kaml>, <mailto:kaml-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2009 18:04:43 -0000

> I think there is interest in solving the authorization problem in a  
> way that scales better than the MS PAC.  There's interest on  
> Microsoft's part as well.  Nobody's come up with a solution that  
> enough people find attractive though.

I'm interested in this, when I get some cycles to work on it.  The GSS  
naming extensions and S4U projects recently committed to MIT will  
help, also I've created a couple of placeholder projects at:

	http://k5wiki.kerberos.org/wiki/Projects/SAMLInKerberos
	http://k5wiki.kerberos.org/wiki/Projects/KerberosInSAML

Last I heard from MS (earlier this week), they are moving towards  
claims-based authorisation but are undecided whether they will support  
claims with "legacy" services such as the file server, and thus  
whether they will support claims in the PAC. (This statement was  
couched in very vague terms, so I might be misinterpreting.)

Their whitepapers on Geneva are worth reading, too:

http://www.microsoft.com/downloads/details.aspx?FamilyID=9ca5c685-3172-4d8f-81cb-1a59bdc9f7e3&displaylang=en

-- Luke