Re: [KAML] latest status

Luke Howard <> Sat, 19 September 2009 18:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B579A3A6934 for <>; Sat, 19 Sep 2009 11:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.972
X-Spam-Status: No, score=-0.972 tagged_above=-999 required=5 tests=[AWL=-0.973, BAYES_50=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id caRnirkx-yox for <>; Sat, 19 Sep 2009 11:04:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 92EBD3A689A for <>; Sat, 19 Sep 2009 11:04:42 -0700 (PDT)
Received: by with ESMTP id n8JI59jF009392; Sat, 19 Sep 2009 14:05:13 -0400
Message-Id: <>
From: Luke Howard <>
To: "Henry B. Hotz" <>
In-Reply-To: <>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sat, 19 Sep 2009 20:05:09 +0200
References: <> <>
X-Mailer: Apple Mail (2.936)
X-SMTP-Vilter-Version: 1.3.6
X-Spamd-Symbols: AWL,BAYES_00,RDNS_NONE
X-SMTP-Vilter-Spam-Backend: spamd
X-Spam-Threshold: 5.0
X-Spam-Probability: -0.4
Subject: Re: [KAML] latest status
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussions about SAML and Kerberos intersections <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 19 Sep 2009 18:04:43 -0000

> I think there is interest in solving the authorization problem in a  
> way that scales better than the MS PAC.  There's interest on  
> Microsoft's part as well.  Nobody's come up with a solution that  
> enough people find attractive though.

I'm interested in this, when I get some cycles to work on it.  The GSS  
naming extensions and S4U projects recently committed to MIT will  
help, also I've created a couple of placeholder projects at:

Last I heard from MS (earlier this week), they are moving towards  
claims-based authorisation but are undecided whether they will support  
claims with "legacy" services such as the file server, and thus  
whether they will support claims in the PAC. (This statement was  
couched in very vague terms, so I might be misinterpreting.)

Their whitepapers on Geneva are worth reading, too:

-- Luke