Hi Daniel, Marcel,
This is an intriguing approach. In fact I think its the best option on the
table at the moment (plus you have running code apparently). Have you
written this up in any more detail?
Josh.
On 13/02/2014 18:38, "Daniel Kouril" <[log in to unmask]> wrote:
>Hi Sam, all,
>
>we've produced a pilot of a solution for delegation (and partially SSO),
>which is based on utilization of short-lived tokens. Basically, on
>sucessfull authentication, the RADIUS server produces a new X.509
>cert/key (minced with name of the user) which is sent to the application
>server and exposed via the appropriate gss_accept_sec_context()
>parameter. The context initialization routines then try to use the
>credentials (via eap-tls) if it's available for authentication to the
>RADIUS. Some basic support for restricted delegation was considered,
>too.
>
>The primary author of these extension is Marcel Poul, who's present on
>the list. I don't know if the unasnwered queries you mentioned below
>were pointed to us (if so, I'm sorry for letting them without a
>response) but we're happy to provide more information if there's
>interest.
>
>cheers,
>
>Daniel
>
>On Fri, Feb 07, 2014 at 10:58:35AM -0500, Sam Hartman wrote:
>> We've had a number of discussions of moonshot delegation from time to
>> time.
>> It's clear there are use cases for this; the one you stated is a quite
>> common use-case.
>>
>> I think this is likely to be important long-term.
>>
>> Someone was working on an academic project to explore this.I did not
>> understand their design decisions and didn't get answers to my queries
>> about that.
>>
>> Luke also did some work looking at SAML delegation.
>>
>> Besides that, I'm not aware of anyone funding or otherwise resourcing
>> work in this area.
>> i'd be happy to point people at discussions of varous options and
>> designs if someone figures out how they will dedicate development
>> resources to this problem.
>>
>> --Sam
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a
not-for-profit company which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
|