Re: GGF evidently needs stackable pseudo-mechs

To: Nicolas Williams <Nicolas.Williams at sun.com>
Subject: Re: GGF evidently needs stackable pseudo-mechs
From: "Von Welch" <vwelch at ncsa.uiuc.edu>
Date: Fri, 22 Jul 2005 17:31:53 -0500
Cc: kitten at ietf.org
In-reply-to: <20050722144055.GA8694@binky.Central.Sun.COM>
List-archive: <http://www1.ietf.org/pipermail/kitten>
List-help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-post: <mailto:kitten@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
References: <20050719180604.GT4303@binky.Central.Sun.COM> <20050719180929.GA5809@binky.Central.Sun.COM> <17117.17450.881204.232069@gargle.gargle.HOWL> <42DFACE9.2010406@columbia.edu> <20050721162507.GG8002@binky.Central.Sun.COM> <17119.57294.385654.917723@gargle.gargle.HOWL> <20050722144055.GA8694@binky.Central.Sun.COM>
Sender: kitten-bounces at lists.ietf.org

Ok, here's the final version of the document to make sure we have a
consistent view of section numbers:

http://www.ggf.org/documents/GFD.24.pdf

The relevant extensions are using are described in section 2.3.

In our implementation we use the first call (in 2.3.1) to pull X509
extensions from the certificate and then push those into a GAA
library.

Conceptually one could define an OID meaning give me any SAML
attribute assertions associated with the client in the context.

I also recall a conversation a while back where someone (you or
Jeffrey I think) argued this would be better done as a inquiry
mechanism based on the gss_name, which I agree with.

Von

Nicolas Williams writes (09:40 July 22, 2005):
 > On Thu, Jul 21, 2005 at 12:47:58PM -0500, Von Welch wrote:
 > > 
 > > Still not entirely sure what you're looking for.
 > > 
 > > We don't do any SAML-based authentication, we do PKI (with a GSS
 > > interface) for authentication and use SAML assertions to convey
 > > attributes or authorization assertions.
 > 
 > Right, and that's what I'm interested in.
 > 
 > > We use a hack of putting SAML assertions into X509 extensions as a
 > > way to convey those assertions through TLS and other protocols and
 > > then use GSS extensions described in the GGF document to pull those
 > > assertions out.
 > 
 > Ah.

_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

Follow-Ups:
- Re: GGF evidently needs stackable pseudo-mechs
  - From: Nicolas Williams

References:
- GGF evidently needs stackable pseudo-mechs
  - From: Nicolas Williams
- Re: GGF evidently needs stackable pseudo-mechs
  - From: Nicolas Williams
- Re: GGF evidently needs stackable pseudo-mechs
  - From: Von Welch
- Re: GGF evidently needs stackable pseudo-mechs
  - From: Jeffrey Altman
- Re: GGF evidently needs stackable pseudo-mechs
  - From: Nicolas Williams
- Re: GGF evidently needs stackable pseudo-mechs
  - From: Von Welch
- Re: GGF evidently needs stackable pseudo-mechs
  - From: Nicolas Williams

Prev by Date: Re: GGF evidently needs stackable pseudo-mechs
Next by Date: Re: GGF evidently needs stackable pseudo-mechs
Previous by thread: Re: GGF evidently needs stackable pseudo-mechs
Next by thread: Re: GGF evidently needs stackable pseudo-mechs
Index(es):
- Date
- Thread

Re: GGF evidently needs stackable pseudo-mechs

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.