logo_kerberos.gif

KrbWeb Buckley-BoardMtgPresoAndNotes-2008-07-24

From K5Wiki
Jump to: navigation, search

This document is a draft concerning Kerberos and the Web.

Context

Below are (reformatted) "..slides and notes from the Consortium Board meeting.." sent by Steve in this message on 24-Jul-2008 to mitkc-krbweb@.

They appear to be taken from Sam Hartman's "Kerberos Road Map" board preso of 7-Apr-2008, specifically the "Kerberos on the Web" major section, and have been slightly edited along with apparent questions/comments inserted, especially towards the end after the "Broader Authentication" topic header.

Kerberos on the Web Preso & Notes


* Kerberos on the web - Contents:
  o understand and analyze web services
    + WS-
    + Soap
    + XML DSIG/encryption
    + REST
    + SAML
  o Gateways between Kerberos, SAML and other federation technologies
  o Kerberos through firewalls
  o Authentication within the enterprise
  o Managing identity
  o Broader authentication


* web services
  o Examine and analyze
    + Protocols
    + How Kerberos is implemented today?
    + Implementation quality
    
  o Gap analysis
    + Can kerberos be used to secure all parts of a web services  
    infrastructure
      # Should only need one security system. Deploying them is hard and  
      costly.
      
    + Will extensions to kerberos break kerberos integration into web  
    services
      # Has had issues with using raw cert instead of AP-REQ
     
    + Are implementations and standards sufficiently avilable to meet  
    customer needs
    
    + Sufficient documentation
    
  o What we can do?
    + improve standards and docs
    + add necessary support for kerb implementation
    + Identify gaps, but not write web services ourselves


* Gateways to federation
  o Used alongside SAML/OpenID etc
  
  o Several challenges:
    + Authority to convert from one tech to another
    
    + Translating information such as entitlements from one format to  
    another
    
    + Determining trust to assign to an authentication that has crossed  
    mech boundaries
      # If you have a chain like KRB -> SAML -> OpenID -> KRB should I  
      trust it?
      
    + Policies are an important property of Federation
      # What policies should we look at? Where do we go?



* Firewalls
  o Several companies developed solutions to deliver Kerberos over the  
  same port as web traffic
    + Firewalls near client and server
    + Kerberos needs to follow same path as application
    
  o tools.ietf.org/id/dtraft-zhu-ws-kerb-03 may be part of the answer



* Authentication in Enterprise
  o Both Kerb and certs today
  
    + Required for security today
    
    + If either has a problem, you're in trouble
    
    + Kerb for privacy instead of certs?
      # easier to make arbitrary (self-singed) certs
      # Would have to re-implement a lot of the stack
      # Strongest argument is TLS problems that might not exist in KRB
      # Provided only have to do one deployment, most problems go away
      
  o Could improve user experience and config
  
    + web browsers all support KRB but tend to turn it off by default.
      # Why?
      # Work on user experience.
      
    + Make it easier to use Kerberos and other mech on the server side
    
    + Work on client config issues


* Managing identity
  o Kerberos identity management (which id to use)
  
  o Other ID frameworks have a variety of privacy mechanisms; can we  
  take these mechanisms or something similar and use them in Kerberos
  
  o How do you make this usable?
  
  o Need to understand user use cases for privacy and how that fits  
  into KRB



* Broader authentication
  o finish requirements work for web authentication
  
  o participate in discussion of web authentication in standards  
  organizations
  
  o Understand tech challenges, but not use cases.
    + Where will this benefit people?
    
    + Working with IETF and financial services industry.
    
      # workshop to bring together major web sites with security community  
      and find out where they would use other authentication technologies  
      (not just kerberos)
      
      # KRB community should be in place to...(?)
      
    + only current web services for kerberos is WS- where kerberos is a  
    profile
    
      # business to business is difficult

        * no way to send claims

        * No way of sending policy

        * Kerberos has everything you need in protocol, but no standardized  
        implementation

        * No facility to acquire and then act on policy, communicates all  
        attributes to services



* Strong connection to ACL based authorization today

  o Would like to see a capability based model
  
  o in ACL model, only thing you have is the principal name, so fewer  
  interesting things to do
  
  o Don't try to be OpenID as it's messy and complicated?
  
    + If we don't make sure we can interact with technologies in that  
    space, then people will find they can't use it
    
    + Our goal is not to be competitive but complementary (at least in  
    marketing)
      # We probably need to solve most of the problems they're solving anyway.
      
      # OpenID is wonderful for web browsers but bad for most other things

        * For going after the blogging identity market, would need to  
        understand where we would provide benefit

        * For business, need to have some of the properties of OpenID such as  
        lower infrastructure costs

  o Prefer to keep Kerberos as the foundation and let the vendors deal  
  with the higher level stuff?
  
    + This is a fundamental disagreement with basis of the presentation

    + One of the assumptions is that consortium should be doing the  
    "dreaming"
  
  o Basic message: understand tech, but need to know what use case  
  we're trying to solve and why we have a better solution than others