Rafa> Hi Sam: Thanks for these clarifications. My comments inline
Rafa> again.
Rafa> El 06/09/2011, a las 17:38, Sam Hartman escribió:
>>>>>>> "Rafa" == Rafa Marin Lopez <[email protected]> writes:
>>
Rafa> Hi Sam: Please see my comments/questions inline.
>>
Rafa> El 06/09/2011, a las 15:52, Sam Hartman escribió:
>>
>>>>
>>> Hi. At the mic in Quebec I raised the following issue about GSS
>>> preauth and ABFAB.
>>>
>>> I want to be able to use GSS preauth between the RP and the KDC
>>> even if the initiator knows nothing about it.
>
> Rafa> Could you elaborate a little bit about the motivation related
> Rafa> to this and what is the associated issue?
>
> Sure.
> The idea is that you have some resource domain of servers.
> You'd like to use GSS-EAP (ABFAB) to access them.
> However you want a central place to define policy, perform
> authorizations, etc.
> You've decided that Kerberos works well for that.
> All authentications into the domain must go through the KDC. Only the
> KDC can create authorizations.
>
> You want the initiator to be able to take advantage of a TGT for fast
> reauthentication within a domain if the initiator understands how.
May we assume that TGT will be involved in a Kerberos exchange later on?. I
mean I think that TGT will have to be provided to the initiator somehow (
within GSS-EAP exchange? )
I assume that initiator will have some Kerberos source code implemented to
handle the TGT and to request service tickets. Otherwise, having a TGT is
useless as you mention.
I don't think these are reasonable assumptions. I think we can assume
that if a TGT is used, it is provided to the initiator. I'm fine if a
TGT is only provided when it is going to be used. However, I want a
service ticket provided (with authorization data) to the RP even if the
initiator has never heard of Kerberos and has no Kerberos code at all
other than the RFC 3961 implementation inherent in gss-eap.
In response to Nico's question about trusted proxies. I don't think
there is much trust involved in allowing the RP to interact with a
service ticket. In effect what I think we're building is a form of
protocol transition where rather than trusting the RP to assert that the
client is authenticating, we're providing a GSS-EAP exchange targeted at
the RP to a KDC.
To me, that level of trust (much less than protocol transition) is
highly desirable.
--Sam
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab
