Hi Sam: > > May we assume that TGT will be involved in a Kerberos exchange later on?. I > mean I think that TGT will have to be provided to the initiator somehow ( > within GSS-EAP exchange? ) > > I assume that initiator will have some Kerberos source code implemented to > handle the TGT and to request service tickets. Otherwise, having a TGT is > useless as you mention. > > I don't think these are reasonable assumptions.
Well, if we send a TGT or ST to the initiator, it would seem reasonable to me that initiator knows how to handle it. But maybe it is not reasonable. In any case, it seems you consider that TGT or ST are provided to the initiator as a opaque blob so that initiator will have to send later on (as an opaque blob) to the RP. is that right?. > I think we can assume > that if a TGT is used, it is provided to the initiator. I was wondering how is that TGT provided to the initiator (within a GSS-API token after a successful authentication?) and how the initiator sends it to the RP. > I'm fine if a > TGT is only provided when it is going to be used. However, I want a > service ticket provided (with authorization data) to the RP even if the > initiator has never heard of Kerberos and has no Kerberos code at all > other than the RFC 3961 implementation inherent in gss-eap. Yes, I understand that it is what you want. What I am trying to see how it could operate and the motivation. Best regards. > > In response to Nico's question about trusted proxies. I don't think > there is much trust involved in allowing the RP to interact with a > service ticket. In effect what I think we're building is a form of > protocol transition where rather than trusting the RP to assert that the > client is authenticating, we're providing a GSS-EAP exchange targeted at > the RP to a KDC. > To me, that level of trust (much less than protocol transition) is > highly desirable. > > --Sam ------------------------------------------------------- Rafael Marin Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: [email protected] ------------------------------------------------------- _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
