KrbWeb Buckley-BoardMtgPresoAndNotes-2008-07-24
From K5Wiki
This document is a draft concerning Kerberos and the Web.
Context
Below are (reformatted) "..slides and notes from the Consortium Board meeting.." sent by Steve in this message on 24-Jul-2008 to mitkc-krbweb@.
They appear to be taken from Sam Hartman's "Kerberos Road Map" board preso of 7-Apr-2008, specifically the "Kerberos on the Web" major section, and have been slightly edited along with apparent questions/comments inserted, especially towards the end after the "Broader Authentication" topic header.
Kerberos on the Web Preso & Notes
* Kerberos on the web - Contents: o understand and analyze web services + WS- + Soap + XML DSIG/encryption + REST + SAML o Gateways between Kerberos, SAML and other federation technologies o Kerberos through firewalls o Authentication within the enterprise o Managing identity o Broader authentication * web services o Examine and analyze + Protocols + How Kerberos is implemented today? + Implementation quality o Gap analysis + Can kerberos be used to secure all parts of a web services infrastructure # Should only need one security system. Deploying them is hard and costly. + Will extensions to kerberos break kerberos integration into web services # Has had issues with using raw cert instead of AP-REQ + Are implementations and standards sufficiently avilable to meet customer needs + Sufficient documentation o What we can do? + improve standards and docs + add necessary support for kerb implementation + Identify gaps, but not write web services ourselves * Gateways to federation o Used alongside SAML/OpenID etc o Several challenges: + Authority to convert from one tech to another + Translating information such as entitlements from one format to another + Determining trust to assign to an authentication that has crossed mech boundaries # If you have a chain like KRB -> SAML -> OpenID -> KRB should I trust it? + Policies are an important property of Federation # What policies should we look at? Where do we go? * Firewalls o Several companies developed solutions to deliver Kerberos over the same port as web traffic + Firewalls near client and server + Kerberos needs to follow same path as application o tools.ietf.org/id/dtraft-zhu-ws-kerb-03 may be part of the answer * Authentication in Enterprise o Both Kerb and certs today + Required for security today + If either has a problem, you're in trouble + Kerb for privacy instead of certs? # easier to make arbitrary (self-singed) certs # Would have to re-implement a lot of the stack # Strongest argument is TLS problems that might not exist in KRB # Provided only have to do one deployment, most problems go away o Could improve user experience and config + web browsers all support KRB but tend to turn it off by default. # Why? # Work on user experience. + Make it easier to use Kerberos and other mech on the server side + Work on client config issues * Managing identity o Kerberos identity management (which id to use) o Other ID frameworks have a variety of privacy mechanisms; can we take these mechanisms or something similar and use them in Kerberos o How do you make this usable? o Need to understand user use cases for privacy and how that fits into KRB * Broader authentication o finish requirements work for web authentication o participate in discussion of web authentication in standards organizations o Understand tech challenges, but not use cases. + Where will this benefit people? + Working with IETF and financial services industry. # workshop to bring together major web sites with security community and find out where they would use other authentication technologies (not just kerberos) # KRB community should be in place to...(?) + only current web services for kerberos is WS- where kerberos is a profile # business to business is difficult * no way to send claims * No way of sending policy * Kerberos has everything you need in protocol, but no standardized implementation * No facility to acquire and then act on policy, communicates all attributes to services * Strong connection to ACL based authorization today o Would like to see a capability based model o in ACL model, only thing you have is the principal name, so fewer interesting things to do o Don't try to be OpenID as it's messy and complicated? + If we don't make sure we can interact with technologies in that space, then people will find they can't use it + Our goal is not to be competitive but complementary (at least in marketing) # We probably need to solve most of the problems they're solving anyway. # OpenID is wonderful for web browsers but bad for most other things * For going after the blogging identity market, would need to understand where we would provide benefit * For business, need to have some of the properties of OpenID such as lower infrastructure costs o Prefer to keep Kerberos as the foundation and let the vendors deal with the higher level stuff? + This is a fundamental disagreement with basis of the presentation + One of the assumptions is that consortium should be doing the "dreaming" o Basic message: understand tech, but need to know what use case we're trying to solve and why we have a better solution than others