NIM 2.0 'branding' question

Jeffrey Altman jaltman at secure-endpoints.com
Mon Oct 1 12:03:19 EDT 2007 

Kevin Koch wrote:
>
> I’m not sure what level of ‘public’ this question deserves, so I’m
> starting with the safest level first.
>
I see no reason why a design discussion of a publicly distributed
proposal would not be public to the extent that the proposal was public. 

Sending the reply to kfwdev at mit.edu

>  
>
> In the ‘Proposed User Experience for … NIM 2.0’ on pages 3, 4, 5 and
> 7, there are screenshots of identities.  In the upper right corner of
> each identity display is the type of identity – Kerberos V5,
> Certificate, Secure Key Storage.
>
>  
>
> I think this might meet MIT (the customer) needs.  But what about
> Stanford, whose users never see the word ‘Kerberos?’
>
>  
>
> Kevin
>
You are misunderstanding the objection.  Clearly, users at Stanford see
the terms "Kerberos v5", "Kerberos v4", "AFS", etc. The credentials they
obtain are labeled as "Kerberos v5" or "AFS" credentials.  There are
configuration options pages and details that they need to be able to
intact with.  These aren't labeled "SUNetId", they are labeled based
upon the identity provider and credential types.

In NIM 1.x, there is only a single identity provider so there is no need
to distinguish them.  In a multiple identity provider model, the user
must be able to distinguish which identity provider is in use because
credential acquisition behavior associated with each identity provider
is expected to be different.  I do not consider distinguishing between
types to be branding. 

When a NIM 2.x user wishes to obtain credentials, she selects from a
list of pre-defined identities.  When the identities are created in the
user will not be asked for the "Kerberos Username" or the "SUNetId". 
Instead as shown in Figure 6, they will be given the choice of selecting
between the various installed identity providers in a graphical list by
Icon and Name.  Selecting the "Kerberos v5" identity provider will
prompt them for "Username" and "Realm" but not "Kerberos Username" or
"SUNetId".  When the user selects the Certificate identity provider, she
will have the opportunity to configure a Kerberos v5 credential that
should be obtained.  In doing so, the user will be prompted for the
"Username" and "Realm" but not the "Kerberos Username" or the "SUNetId". 

In Figure 2, the Identity Provider's Icon is displayed next to the
identity name and on the right it specifies the Identity Provider's
name.  Where we believe the branding opportunity exists is in this
dialog where an organization could associate a new Icon with the
identity based upon the Kerberos v5 realm or the Certificate's Issuer. 

Jeffrey Altman


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kfwdev/attachments/20071001/6bc9d49d/attachment.bin

More information about the kfwdev mailing list