Hi Sam: Please see my comments/questions inline.
El 06/09/2011, a las 15:52, Sam Hartman escribió: > > Hi. > At the mic in Quebec I raised the following issue about GSS preauth and > ABFAB. > > I want to be able to use GSS preauth between the RP and the KDC even if > the initiator knows nothing about it. Could you elaborate a little bit about the motivation related to this and what is the associated issue? > > That is: gss-eap initiator <-> RP FAST(rp armor key, > gss-preauth(gss-eap)) RP <->KDC When that happens: Before going into detail I would like to understand this flow (at first sight, it vaguely reminded me the use of IAKERB where the RP is IAKERB proxy. But it seems you are pursuing a different thing). It seems that the RP is acting as Kerberos client that uses a GSS-API based pre-authentication mechanism and the content of the gss-api token contains the gss-eap token provided by the user. Is that right? Best regards and thanks in advance. > > * The initiator should obtain a TGT which it probably can't use because > well it doesn't know about gss preauth > > * The RP should obtain a service ticket. This is critical and is the > motivation for allowing gss preauth even when the initiator dosen't > know about it. This allows the KDC to be a central policy point all > the time gss-eap is used. > > * The initiator and KDC know the TGT key > > * The initiator, RP and KDC know the context key for the gss-eap context > between the initiator and RP. It's not critical the KDC knows this > key, but it will > > is there any interest in figuring out how to do this. If we cannot then > Moonshot may end up introducing a separate eap-preauth proposal to meet > this use case. It would be highly desirable to avoid both eap-preauth > and gss-preauth. I think everyone agrees that gss-preauth is cleaner if > we can make it work. > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab ------------------------------------------------------- Rafael Marin Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: [email protected] ------------------------------------------------------- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
