Re: [kitten] sasl saml and sasl openID
Martin Rex <mrex@sap.com> Thu, 18 November 2010 02:40 UTC
Return-Path: <mrex@sap.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA5BC3A63D3 for <kitten@core3.amsl.com>; Wed, 17 Nov 2010 18:40:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.825
X-Spam-Level:
X-Spam-Status: No, score=-9.825 tagged_above=-999 required=5 tests=[AWL=-0.176, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Unw74rLK2OaX for <kitten@core3.amsl.com>; Wed, 17 Nov 2010 18:40:54 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 4C47D3A635F for <kitten@ietf.org>; Wed, 17 Nov 2010 18:40:54 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id oAI2fdD2015807 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 18 Nov 2010 03:41:39 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201011180241.oAI2fcKa014881@fs4113.wdf.sap.corp>
To: hartmans-ietf@mit.edu
Date: Thu, 18 Nov 2010 03:41:38 +0100
In-Reply-To: <tsleiamkk8t.fsf@carter-zimmerman.suchdamage.org> from "Sam Hartman" at Nov 15, 10 10:41:54 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal03
X-SAP: out
Cc: kitten@ietf.org, simon@josefsson.org, hartmans-ietf@mit.edu
Subject: Re: [kitten] sasl saml and sasl openID
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 02:40:55 -0000
Sam Hartman wrote: > > You've certainly seen a lot of GSS-API mechanisms. However those > mechanisms were not proposed for standardization within the IETF. Actually, it is just the opposite. http://tools.ietf.org/html/draft-ietf-cat-kerb5gss (->rfc1964) and http://tools.ietf.org/html/draft-ietf-cat-spkmgss (->rfc2025) have about the same age. rfc-2743, section 5.3 http://tools.ietf.org/html/rfc2743#page-90 was already part of the very first GSS-API v2 draft http://tools.ietf.org/html/draft-ietf-cat-gssv2-00 and described the architecture of a real implementation/product that we certified for interop with our app in 1998. So the architecture for X.509/PKI gssapi mechanism related to SPKM existed at least one year before I first heard about the existence of GSS-API. During the design of the GSS-API support by our application, I tried to accomodate for the _published_ characteristics, because it was clear that we were _not_ going to build and ship Single Sign-On solutions ourselves, but instead rely solely on third-party products and therefore be portable as much as our own architecture allowed. Adding an addtional target-identity paramter to all connection APIs, command lines and configurations was actually trivial compared to the hoops we had to jump through in order to account for Kerbgss shortcomings. The non-obvious Kerberos 5 gssapi mechanism problems: - enforced security context expiration. Our app is the only app I know that implements a security context refresh logic in order to replace an expiring gssapi security context with a new one for longterm communication links For a very short time in Windows2000 Beta3 Microsoft enabled security context expiration and realized that they couldn't handle it, so they are ignoring it ever since. Some SPKM mechanisms offer lifetime-limited security contexts at request by the application. - initiating credentials expiration requiring frequent out-of-band refresh operations. The side-effecting of credentials lifetime on security context lifetime is a challenge for automatic security context refresh logic. Other than TLS, security context refresh is burdened completely onto the caller above GSS-API, who has to establish a seperate security context, check whether the lifetime of the new is longer than the remaining of the old and then synchronously change from using the old security context for message protection and unprotection to using the new security context and deleting the old. Expiring initiating credentials required admins of distributed apps to configure e.g. a frequent cron-job "kinit -k app-abc/host.f.q.d.n" to refresh initiating creds, because many kerb-libraries on unix didn't simply do this themselves and didn't document this necessity anywhere either. Microsoft Kerberos was the first Kerberos5 implementation I saw with an acceptable credentials management. - users can not acquire accepting credentials With SPKM you can initiate trivially in both directions, while with Kerberos5, whenever you need a parallel,independent, gss-api protected communication link established, you need to ensure that the original initiator will also be the initiator for all additional parallel communication links. With SPKM, no such restriction exists, so an acceptor can gss_inquire_context(old_ctx, &src_name, &targ_name); gss_acquire_cred(&acc_cred, &targ_name); gss_init_sec_context(cred=acc_cred, target=src_name, &new_ctx) with ease, while with Kerberos, the app must first define and transfer an app request over old_ctx telling the initiator to establish a new security context. Microsoft Kerberos allows users to acquire accepting credentials. Since there is some security problem with allowing rfc-1964 two-token authentication with acceptors using password-based keys, Microsoft also implemented a (so far not standardized) variant of the Kerberos 5 mechanism for the "user2user" or "double-TGT" authentication scheme from the Kerberos 5 protocol specification. - Kerberos does not work across firewalls and alien address spaces Our app client was/is able to traverse proxy chains, e.g. in order to access customer systems for remote support. Securing such logons with Kerberos will never work. There is a proposal for an "IAKERB" gssapi mechanism from Microsoft to "out-source" all communication between the initiator/client and the KDC to the acceptor/server, but there hasn't been much visible progress over the last decade. SPKM mechanism implementations without a prerequisite of KDC-like access to an online directory (as Entrusts product) work just fine across any number of app-level proxies and completely independent of the low-level network connectivity between initiator and acceptor. Having to accomodate for the lack of hostbased service names in your app and app protocol is really a no-brainer. Accounting for undocumented shortcoming of most Kerberos implementations in a large distributed application, on the other hand, requires quite an enormous effort. I do remeber our first Video Conference with MIT & Ted Ts'o in April 1995, when we discussed how to make Kerberos Single Sign-On usable for our application, and I proposed to use GSS-API to interface to MIT Kerberos. Ted was very explicit that using the native Kerberos API would be much easier for us -- but I alread had obtained a requirement to support an X.509/PKI based authentication scheme for specific other customers, so I chose GSS-API as a common ground for a unified solution architecture. And then Ted got me involved with the IETF. -Martin
- [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Simon Josefsson
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Klaas Wierenga
- Re: [kitten] sasl saml and sasl openID Simon Josefsson
- Re: [kitten] sasl saml and sasl openID Klaas Wierenga
- Re: [kitten] sasl saml and sasl openID Simon Josefsson
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Klaas Wierenga (kwiereng)
- Re: [kitten] sasl saml and sasl openID Klaas Wierenga
- Re: [kitten] sasl saml and sasl openID Nicolas Williams
- Re: [kitten] sasl saml and sasl openID Martin Rex
- Re: [kitten] sasl saml and sasl openID Martin Rex
- Re: [kitten] sasl saml and sasl openID Simon Josefsson
- Re: [kitten] sasl saml and sasl openID Scott Cantor
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Nicolas Williams
- Re: [kitten] sasl saml and sasl openID Martin Rex
- Re: [kitten] sasl saml and sasl openID Nicolas Williams
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Nicolas Williams
- Re: [kitten] sasl saml and sasl openID Martin Rex
- Re: [kitten] sasl saml and sasl openID Simon Josefsson
- Re: [kitten] sasl saml and sasl openID Scott Cantor
- Re: [kitten] sasl saml and sasl openID Martin Rex
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Nicolas Williams
- Re: [kitten] sasl saml and sasl openID Sam Hartman
- Re: [kitten] sasl saml and sasl openID Jeffrey Hutzelman
- Re: [kitten] sasl saml and sasl openID Jeffrey Hutzelman
- Re: [kitten] sasl saml and sasl openID Henry B. Hotz
- Re: [kitten] sasl saml and sasl openID Cantor, Scott E.