Kerberized authorization service

[Anne & Lynn Wheeler]

Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
> I am not that sure, actually.  Every time I look at SAML, I re-remember
> my biggest issue with it - the spec is frickin' huge (379 pages for all
> of the documents for SAML 2.0).  Also, it's rather "webby" ... I mean,
> the protocol is based on HTTP?  You need an XML library?  And it seems
> that you probably need SOAP in there as well.  Every example I've seen
> of it clearly is web-oriented.  I guess I see the advantage to using
> it when you have an already-bloated web server, but cramming all of
> that into sshd?  Ugh.

i remember sitting in on an early vendor SAML presentation about
implementation/deployment for coalition forces.

at the end, i went up to talk to the person doing the presentation (cto
or some other person from the vendor) and commented that the message
flows looked exactly like cross-domain kerberos (except using SAML
formated messages). after some further discussion, he conceded that
there are only so many ways that such a thing could be accomplished.

kerberos was done in project athena at mit with equal funding by two
computer companies (there were two project athena assistant directors,
one from each vendor). somewhat as a result we would get to periodically
go by and review what was going on. one week we were there, got to
participate in early design sessions for cross-domain kerberos.

one of the assistant directors i had worked at with at the science
center ... at the time of project athena was down the street ... but
earlier had been at 545 tech sq ... misc. past references
http://www.garlic.com/~lynn/subtopic.html#545tech

for other topic drift ... gml had been invented at the science center in
1969 and subsequently morphed into sgml, html, xml, and saml. misc.
past references
http://www.garlic.com/~lynn/subtopic.html#sgml

and for even more topic drift ... misc. posts about kerberos
and pk-init
http://www.garlic.com/~lynn/subpubkey.html#kerberos