>>>>> "Rafa" == Rafa Marin Lopez <[email protected]> writes:
Rafa> Hi Sam: Please see my comments/questions inline.
Rafa> El 06/09/2011, a las 15:52, Sam Hartman escribió:
>>
>> Hi. At the mic in Quebec I raised the following issue about GSS
>> preauth and ABFAB.
>>
>> I want to be able to use GSS preauth between the RP and the KDC
>> even if the initiator knows nothing about it.
Rafa> Could you elaborate a little bit about the motivation related
Rafa> to this and what is the associated issue?
Sure.
The idea is that you have some resource domain of servers.
You'd like to use GSS-EAP (ABFAB) to access them.
However you want a central place to define policy, perform
authorizations, etc.
You've decided that Kerberos works well for that.
All authentications into the domain must go through the KDC. Only the
KDC can create authorizations.
You want the initiator to be able to take advantage of a TGT for fast
reauthentication within a domain if the initiator understands how.
However, you want to work with any initiator. So, depending on
gss-preauth-specific changes to the ininitiator isn't acceptable. In
particular you don't want to have to bypass the KDC for old initiators.
Services are not trusted to make authorization decisions.
>>
>> That is: gss-eap initiator <-> RP FAST(rp armor key,
>> gss-preauth(gss-eap)) RP <->KDC When that happens:
Rafa> Before going into detail I would like to understand this flow
Rafa> (at first sight, it vaguely reminded me the use of IAKERB
Rafa> where the RP is IAKERB proxy. But it seems you are pursuing a
Rafa> different thing). It seems that the RP is acting as Kerberos
Rafa> client that uses a GSS-API based pre-authentication mechanism
Rafa> and the content of the gss-api token contains the gss-eap
Rafa> token provided by the user. Is that right?
Your understanding is correct.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
