Latest news for index
Some colleagues (, , ) and I had the good fortune to help the with some analysis and strategy planning for the (broad) topic of "Kerberos and the Web", during this last Fall 2008. The main deliverables of this project are this document. .
. . and this presentation. .
. . given at the MITKC's Financial Services Security Summit and last Fall. Of course, these documents may not make much sense if one doesn't know what Kerberos is, so if that's the case, , as well as the on . Additionally, the has published outlining Kerberos' role(s) in the Big Picture of information systems in general, as well as various . That said, the MITKC's provides overall rationale for their Kerberos-on-the-Web project. They have also established for technical discussions on this topic. Additionally index, here's the salient portions of abstract. .
Today authentication and authorization are addressed in an incoherent, and often site-specific, fashion on the Internet and the Web specifically. This situation stems from many factors including the evolution, design, implementation, and deployment history of HTTP and HTTP-based systems in particular, and Internet protocols in general. Kerberos is a widely-implemented and widely-deployed authentication substrate with a long history in various communities and vendor products. Organizations that currently use Kerberos as a key element of their infrastructure wish to take advantage of its unique benefits while moving to Web-based systems, index but have had limited success in doing so. . . . [index] In this paper we outline the evolution of Web Identity and Services and describe the issues surrounding this complex landscape. These issues are captured within a set of more specific requirements that are deemed necessary to satisfy the relevant stakeholders; these requirements are then framed within the context of some general use cases. We then propose and describe a number of activities that leverage Kerberos to realize these improvements, and present an overall strategy and architectural model for working towards a more cohesive and widely deployed Kerberos-based Web authentication infrastructure.Casual readers may find the section entitled A Short History of Web Identity and Services interesting, while those desiring the gory details as well as the identified opportunities will benefit from reading the entire paper. Index here's the overall summary illustration. . [caption id="attachment_94" align="alignnone" width="300" caption="Summary of opportunities for Kerberos and the Web Architecture"][/caption] In concluding, we recommend that in conjunction with developing an overall strategy and architecture with stakeholders, that the MITKC ought to initiate at least these activities. .
Discussion of this paper and the MITKC's overall Kerberos-and-the-Web project occurs on . Feel free to and join in.
- Specify the use of Kerberos with TLS
- SAML-in-Kerberos: Extend Kerberos to permit the inclusion of a SAML assertion in KDC issued authorization data
- Kerberos-in-SAML: SAML profile supporting the generation of SAML assertions containing Kerberos tickets
- Update WS-Security Kerberos Token Profile specification
- Leverage SAML metadata to enable large-scale Kerberos cross-realm communities"), and
- Investigate, document and promote existing methods of using Kerberos to authenticate against a SAML identity provider