OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Updated Kerberos docs for next SSTC Call

On 11 Sep 2009, at 16:45, Thomas Hardjono wrote:
> Folks,
>
> I have just uploaded additional drafts related to the Kerberos work:
>
> (a) Kerberos Attribute profile (draft-02):
>      http://www.oasis-open.org/apps/org/workgroup/security/download.php/34160/sstc-saml-attribute-kerberos-02.odt
>
> (b) Kerberos Subject Confirmation Method (draft-00):
>      http://www.oasis-open.org/apps/org/workgroup/security/download.php/34161/sstc-saml-kerberos-subject-confirmation-method%2000.odt
>
> We look forward to comments/inputs regarding these docs for the next  
> SSTC Call (Sept 22, 2009).

I thought it might be useful to provide some use-case context to these.

In the first use-case, the Kerberos Subject Confirmation Method will  
be profiled with the Web SSO Profile within another document that I'm  
working on: the Kerberos Web SSO Profile. It is conceptually very  
similar to the HoK Web SSO Profile. Here's the abstract:

"The SAML V2.0 Kerberos Web Browser SSO Profile allows for transport  
of assertions bearing a Kerberos Subject Confirmation Method by  
standard HTTP user agents with no modification of client software and  
maximum compatibility with existing deployments. The flow is similar  
to standard Web Browser SSO, but a Kerberos service ticket presented  
by the user agent via a Kerberos/GSS/Negotiate handshake names a  
Kerberos principal. The presentation of a valid Kerberos service  
ticket whose user principal name matches the principal name given in  
the Subject Confirmation element strengthens the assurance of the  
resulting authentication context and protects against credential  
theft. In addition, the profile also enables discovery of the Identity  
Provider by attempting to match the user principal's realm, given in  
the Kerberos ticket, to realms named in SAML metadata. This avoids or  
mitigates the requirement for human interaction, improving the user  
experience with Service Providers that are associated with two or more  
Identity Providers."

The second use-case is extending the use of Kerberos-based evidence in  
web services. I'm currently modeling this as the STP in which the  
client presents a SAML assertion containing a Kerberos attribute  
statement. This assertion may also contain a Kerberos Subject  
Confirmation.

The final use-case is enabling the use of Kerberos to establish trust  
between SAML entities, allowing the exclusive use of Kerberos within a  
SAML deployment.

josh.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]