[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Was a smartcard used to get the ticket?

On Aug 9, 2007, at 2:02 PM, Leif Johansson wrote:

> Henry B. Hotz wrote:
> <snip>
>> Wish I had been able to listen in to the IETF discussion.  The  
>> meeting
>> notes are a bit skimpy.
> One mechanism that was discussed was to use SAML authentication  
> contexts to
> communicate information about how the authentication was done.  
> Would that
> carry enough information to solve the problem for you?
>     Cheers Leif

Most likely.  OTOH I can't have the KDC waiting on an external SAML  
engine to provide the extra bit of authZ info before issuing a ticket.

There's a certain simplicity to the idea of just copying the original  
authN cert that I like.  In a sense that does nothing to solve the  
problem.  OTOH maybe that's a good thing since complex authZ  
decisions usually need to be made close to the specific service  
rather than centrally in my experience.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu