[16745] in Kerberos_V5_Development
Re: Delegation and Moonshot
daemon@ATHENA.MIT.EDU (Nico Williams)
Mon Apr 4 00:48:18 2011
MIME-Version: 1.0
In-Reply-To: <933651F3-7B3D-4C40-833E-40F86E85F9D9@padl.com>
Date: Sun, 3 Apr 2011 23:48:14 -0500
Message-ID: <BANLkTikXACRiB0z3CuzdDcJP+Y1ywQkeGQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Luke Howard <lukeh@padl.com>
Cc: Moonshot community list <moonshot-community@jiscmail.ac.uk>,
"krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Sun, Apr 3, 2011 at 11:38 PM, Luke Howard <lukeh@padl.com> wrote:>> winnowed according to policy at the AAA server. Is that possible?>> Sure, or ditto at the KDC. Obviously, there's a convenience vs privacy tradeoff: the AAA server needs to include in the assertion any attributes that may be required by delegatees, and these will be visible to the delegating service. If this is unacceptable, a model where the KDC contacts the IdP is better.
I thought about the KDC doing the winnowing, but surely the issuer ofthe assertion is best placed to do the winnowing, and if another partydoes it then the issuer has to trust it. Now, for attributes assertedby the KDC, sure, by my logic the KDC would have to do the winnowing.
>> values that are of interest to the app (SIDs, ...) and even map them>> to other things that are locally meaningful (UIDs, GIDs, ...).>> I think this could be better done with something like Shibboleth and mapping to the local (non-URN) namespace. We have this working with Moonshot and OpenSSH/OpenLDAP authorization and it works well.
I guess it's time for me to take a deep dive into Shibboleth... Butnot anytime soon :(
Can Shibboleth be made to pick apart the PAC?
> That said, map to any is implemented by MIT. Not by Heimdal though.
Think it can be made to handle the PAC cleanly?
Nico--
_______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
