Win2000 PAC-Credentials Implementation

James F.Hranicky jfh at cise.ufl.edu
Thu Sep 4 23:54:10 EDT 2003 

On Thu, 4 Sep 2003 15:49:44 -0500
greg at wind.enjellic.com (Dr. Greg Wettstein) wrote:

[...]
> A federated identity structure means that organizations are going to
> take responsibility for managing their own user identities.  These
> three fundamental identities thus exist within the context of an
> enterprise or something that I refer generically to as an 'identity
> holder'.
[...]
> As I had noted before one of the things that I was interested in was
> the problem of developing a secure and highly granular authorization
> system.  When considered conceptually there are two broad classes of
> authorizations to worry about.  I classify these as service and device
> authorizations.
> 
> Service authorizations are useful, for example, in a clustered
> environment or WEB environment where a generic service is vended to
> consumers of information without regard to the device (or host)
> delivering the service.  A device or host based authorization is
> required when there is a need to differentially convey authorization
> based on the host or device making the authorization decision.  The
> best example of the latter type would be sudo or root access.

It dawned on me while searching for the ultimate open-source calendaring
program that if I were to write my own, I'd want to be able to set up my
own groups consisting of anyone, anywhere:

	Group FullCalendarAccess:
		mom at somewhere.com
		dad at somewhereelse.com
		friend at example.com

etc. Then I figured, hey, wouldn't it be cool if you could generalized access
to all parts of your system/network/services that way, say, sharing files
with specific users anywhere on the net, etc. 

I figured what was needed was a distributed identity management system
which allowed any individual organization to authenticate any of its
users to any service/user/machine/program on the internet, and allow
remote sites to manage their own authorization data. In essence, I'd
allow mom at somwhere.com access to my calendar at www.thisplace.org. In
order to do so, someone claiming to be mom would send me a set of
credentials which I'd pass on to the authentication server for somewhere.com,
and they'd return yes or no. Once mom was authenticated with a yes, 
I'd allow her access to my calendar. In other words, Kerberos for anyone
on the 'net.

I suppose all this would require things like authentication servers listed
in DNS, a large PKI scheme to authenticate them (or maybe DNSSEC?), plus
you'd need the ability to mark your authentication server as compromised
in the event of a breakin, returning the appropriate value/error message
when asked for authentication...I haven't really thought all the details 
through. What you get is the ability grant access to services on your systems 
to anyone on the Internet without requiring them to have a local account, 
i.e., authentication remains local and distributed as it is now, while 
authorization and access become Internet-wide. Ultimately, for all I know,
this may not be a practical scheme.

So, what I'm asking in my long post is, "Does Hurderos plan on setting up
a system like this?" :->

Jim

More information about the Kerberos mailing list