[16765] in Kerberos_V5_Development
Re: Delegation and Moonshot
daemon@ATHENA.MIT.EDU (Luke Howard)
Wed Apr 6 18:27:45 2011
Mime-Version: 1.0 (Apple Message framework v1084)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <A10DD59A-8ADA-451E-81D4-F4CDEC895907@jpl.nasa.gov>
Date: Thu, 7 Apr 2011 08:27:29 +1000
Message-Id: <F609746E-A077-4DB6-AC2B-1CB860425977@padl.com>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
> I will own up to being one of those. I still regard the use of XML instead of ASN.1 as ugly in the context of Kerberos. I would prefer an attribute certificate to a SAML assertion.
Even in the case where the explicit goal was SAML interoperability?
> IIUC Sam's real position was that adding authorization data could create interoperability problems. Hopefully care is/will be taken so the problems are only DOS, and not incorrect authorization.
RFC 4120 5.2.6.1 specifies a way to to include non-critical authorisation data.
-- Luke
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
