Re: [kitten] Proposed GSS extension for explicit credential stores
Nico Williams <nico@cryptonector.com> Tue, 03 April 2012 14:35 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73A1521F8793 for <kitten@ietfa.amsl.com>; Tue, 3 Apr 2012 07:35:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.77
X-Spam-Level:
X-Spam-Status: No, score=-0.77 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X64WYX7XSW6Q for <kitten@ietfa.amsl.com>; Tue, 3 Apr 2012 07:35:11 -0700 (PDT)
Received: from homiemail-a35.g.dreamhost.com (caiajhbdcagg.dreamhost.com [208.97.132.66]) by ietfa.amsl.com (Postfix) with ESMTP id B874E21F879E for <kitten@ietf.org>; Tue, 3 Apr 2012 07:35:04 -0700 (PDT)
Received: from homiemail-a35.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTP id 7B77854073 for <kitten@ietf.org>; Tue, 3 Apr 2012 07:35:03 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=XPx3Ivjl04DEnkBFVD15D8pAGATc5a26BjxQJ/XtTaVi aAKNQojYAXQIF/qptEgpF2RTFU2mgT/1Wy6K7PQ114q7ujB2u6wXn4v5/HIPNXUH hpsXuTypoysO3XkRRF6vLIW+bbrBFmxJZYHmGBBDXKC8KzPTe194lyuuZc2g3Uw=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=XBmRO7d813GaR5ZcVqHrvoS7VJI=; b=NsjFLrsWWDk fPbJab0Td61jWZIQZwtuECGz2e9xurB+blrbOZG2mILWby7QgHp7421kjFwcHS5l CPddyJifQJsVIhINDYigwSjoNHZ4RZ8mbMndTUDO7KJHUPKlRyBlzC9FQretLiNV H0eK/KsvMWAomVLJzpilBPHn7UiHI6s0=
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTPSA id 381DE5405B for <kitten@ietf.org>; Tue, 3 Apr 2012 07:35:03 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so5498130pbb.31 for <kitten@ietf.org>; Tue, 03 Apr 2012 07:35:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.219.3 with SMTP id pk3mr14254541pbc.34.1333463701098; Tue, 03 Apr 2012 07:35:01 -0700 (PDT)
Received: by 10.68.28.6 with HTTP; Tue, 3 Apr 2012 07:35:00 -0700 (PDT)
In-Reply-To: <87y5qdrocb.fsf@latte.josefsson.org>
References: <CAK3OfOgh7TvkxvdtsNvNHn9YMTgWa_1aJ4=ozkrujvHxG8K0-Q@mail.gmail.com> <CAK3OfOg5NEc5coye1jPNdQ_X1J0SWdRxo_cG58ozCkLL23izjg__2631.29941090501$1333429012$gmane$org@mail.gmail.com> <87y5qdrocb.fsf@latte.josefsson.org>
Date: Tue, 03 Apr 2012 09:35:00 -0500
Message-ID: <CAK3OfOibDqiX+n_0c3mL3A=OX9E-6pdUXEMKW9ZxrXipa1Rsvg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: kitten@ietf.org
Subject: Re: [kitten] Proposed GSS extension for explicit credential stores
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2012 14:35:14 -0000
On Tue, Apr 3, 2012 at 7:28 AM, Simon Josefsson <simon@josefsson.org> wrote: >> URNs will be provided for at least the following: > I'd really like to see SAML SP metadata included here initially, and > would be willing to help with writing. For simplicity, you could have > multiple URns here, right? I'm thinking something like this: Yes, you can have multiple key/value pairs, and the keys are URNs. And you can have multiple key/value pairs with the same key, so I think we need to make the abstract type be SEQUENCE OF SEQUENCE { ... }. > urn.ietf.kitten.saml.sp.metadata-file => > "/etc/myapp/sp-metadata.xml" Sure. > urn.ietf.kitten.saml.sp.key-file => > "/etc/myapp/sp-key.pem" Sure. > urn.ietf.kitten.saml.sp.cert-file => > "/etc/myapp/sp-cert.pem" Sure. > urn.ietf.kitten.saml.sp.metadata => > "<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ..." Sure. > urn.ietf.kitten.saml.sp.cert => > "-----BEGIN CERTIFICATE -----\nMII..." To repeat what Simo said, we shouldn't put secrets (and I know, a cert is not a secret, but the private key to go with it is) in configuration files. Secrets should go in separate files or HSMs. > Alternatively, there could be a "struct" approach for SAML SP > credentials if you wanted to use only one URN for each credential, > however it gets a bit more ugly: We want multiple key/value pairs, not just one. For example, it'd make sense to specify both, a keytab and a ccache, but we want separate key/value pairs for keytab and ccache. It also makes sense to specify multiple keytabs. > urn.ietf.kitten.saml.sp => > "metadata_file=/etc/myapp/sp-metadata.xml, key_file=/etc/myapp/sp-key.pem, ..." Sure. Nico --
- [kitten] Proposed GSS extension for explicit cred… Nico Williams
- Re: [kitten] Proposed GSS extension for explicit … Simon Josefsson
- Re: [kitten] Proposed GSS extension for explicit … Simo Sorce
- Re: [kitten] Proposed GSS extension for explicit … Nico Williams