Josh, all,

in the end we produced a workshop paper describing the solution and have
just submitted it for review. I'm a bit hesitant to publish it widely at
the moment but I'm happy to share it with people who are interested. So
if you want to read the paper and possibly comment on it, please feel
free to drop me an email.

cheers,

Daniel

On Thu, Feb 13, 2014 at 09:23:52PM +0000, Josh Howlett wrote:
> Hi Daniel, Marcel,
> 
> This is an intriguing approach. In fact I think its the best option on the
> table at the moment (plus you have running code apparently). Have you
> written this up in any more detail?
> 
> Josh.
> 
> On 13/02/2014 18:38, "Daniel Kouril" <[log in to unmask]> wrote:
> 
> >Hi Sam, all,
> >
> >we've produced a pilot of a solution for delegation (and partially SSO),
> >which is based on utilization of short-lived tokens. Basically, on
> >sucessfull authentication, the RADIUS server produces a new X.509
> >cert/key (minced with name of the user) which is sent to the application
> >server and exposed via the appropriate gss_accept_sec_context()
> >parameter. The context initialization routines then try to use the
> >credentials (via eap-tls) if it's available for authentication to the
> >RADIUS. Some basic support for restricted delegation was considered,
> >too.
> >
> >The primary author of these extension is Marcel Poul, who's present on
> >the list. I don't know if the unasnwered queries you mentioned below
> >were pointed to us (if so, I'm sorry for letting them without a
> >response) but we're happy to provide more information if there's
> >interest.
> >
> >cheers,
> >
> >Daniel
> >
> >On Fri, Feb 07, 2014 at 10:58:35AM -0500, Sam Hartman wrote:
> >> We've had a number of discussions of moonshot delegation from time to
> >> time.
> >> It's clear there are use cases for this; the one you stated is a quite
> >> common use-case.
> >> 
> >> I think this is likely to be important long-term.
> >> 
> >> Someone was working on an academic project to explore this.I did not
> >> understand  their design decisions and didn't get answers to my queries
> >> about that.
> >> 
> >> Luke also did some work looking at SAML delegation.
> >> 
> >> Besides that, I'm not aware of anyone funding or otherwise resourcing
> >> work in this area.
> >> i'd be happy to point people at discussions of varous options and
> >> designs if someone figures out how they will dedicate development
> >> resources to this problem.
> >> 
> >> --Sam
> 
> 
> Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
> not-for-profit company which is registered in England under No. 2881024 
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238