>> Also, from a Moonshot standpoint, do we have any plans to implement
>> anything heavier-weight than what we do now?
>
> Well, before we can think about implementation we should think about GSS
> API methods capable of leveraging the request/response pattern, given an
> establish GSS context (e.g., to obtain attributes for a principal that
> weren't provided in the initial context set-up; or to obtain an
> authorisation decision from a remote PEP after authentication).
I thought the idea was just to use the request/response messages within the AAA protocol rather than make an actual SOAP request? It would be possible to defer attribute collection until gss_get_name_attribute() was called. In theory this would work for one way of retrieving attributes via the SSP, but not the way we would want to do things going forward (i.e. for Windows 8 claims compatibility).
I'm not exactly sure what you mean by "obtain attributes for a principal that wasn't provided in the initial context set-up" -- what kind of principal would this be? Are you thinking about attributes for the device the user is authenticating from, or something?
-- Luke
|