Re: [TLS] Negotiation in draft-santesson-tls-gssapi

To: Martin Rex <Martin.Rex at sap.com>
Subject: Re: [TLS] Negotiation in draft-santesson-tls-gssapi
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Thu, 19 Jul 2007 18:28:45 -0500
Cc: tls at ietf.org
In-reply-to: <200707190035.l6J0ZgoV001472@fs4113.wdf.sap.corp>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <20070718225633.GR24645@Sun.COM> <200707190035.l6J0ZgoV001472@fs4113.wdf.sap.corp>
User-agent: Mutt/1.5.7i

On Thu, Jul 19, 2007 at 02:35:42AM +0200, Martin Rex wrote:
> While thinking a little longer about SPNEGO a number of problems
> come to mind.
> 
> A common mechanism OID between initiator and acceptor only means
> that they will be able to parse each other GSS-API tokens,
> it does by no way mean that authentication will work.
> 
> How common is it that companies (ultimately two rival companies)
> have mutual trust configured between their company-internal
> Kerberos realms and maintain each others Kerberos principals names
> on their ACLs?

Funny, I sent an e-mail to Sam last night proposing that we talk
tomorrow (we'll be in the same city) about the identity selection
problem.

I think it'd be nice to have a way to negotiate which "federation" (to
borrow a suitable term from the world of Liberty and other identity
schemes) to use.  I picture a (forgive me) stackable pseudo-mechanism by
which the client and server can agree on a federation.  In general it
should be sufficient, and better, for the server to tell the client what
the federations are that it participates in, ASAP, so that in protocols
where there's a chance to do that before the GSS context establishment
starts then no round-trip penalty is incurred.

However, there are issues to think about.  Protecting the negotiation is
an obvious one.  Privacy protection of the client's identity(ies) is
another.

One thing that seems nice is that "federation" names can be independent
of authentication mechanisms.  A PKI, Kerberos and or Liberty federation
would be a world of domains/realms where entities (such as users and
servers) should be able to authenticate each other provided that they
have valid credentials).

Federated world negotiation is part of the identity selection problem.
Of course, the identity selection problem is still non-trivial to solve
even if we solve the federated world negotiation problem.

Nico
-- 

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] Negotiation in draft-santesson-tls-gssapi
  - From: Nicolas Williams
- Re: [TLS] Negotiation in draft-santesson-tls-gssapi
  - From: Martin Rex

Prev by Date: RE: [TLS] Negotiation in draft-santesson-tls-gssapi
Next by Date: Re: [TLS] Negotiation in draft-santesson-tls-gssapi
Previous by thread: Re: [TLS] Negotiation in draft-santesson-tls-gssapi
Index(es):
- Date
- Thread

Re: [TLS] Negotiation in draft-santesson-tls-gssapi

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.