Services4User review

[Nicolas Williams]

On Sat, Sep 05, 2009 at 08:46:36AM +0200, Luke Howard wrote:
> On 05/09/2009, at 5:10 AM, Greg Hudson wrote:
> >On Fri, 2009-09-04 at 17:49 -0400, Nicolas Williams wrote:
> >>Actually, S4U2Self and Proxy *both* are in the same boat: they can
> >>be used without new gss_*cred*() extentions because in both cases
> >>they  can be used solely through the delegated credentials returned
> >>by gss_accept_sec_context().
> >
> >That doesn't match my understanding.  As I understand it, the general
> >use case of S4U2Self is that you've authenticated a user by some
> >other means (like an X.509 certificate or a password over TLS) and
> >you  want to get a ticket as that user to examine the PAC information
> >or for use  with S4U2Proxy.  You never accepted a GSS security
> >context.  So you need gss_acquire_cred_impersonate_name to do
> >S4U2Self, but you can then  pass the resulting credentials to
> >gss_init_sec_context to do S4U2Proxy, without needing a second
> >extension.
> 
> Yes, that is my understanding too.

Your page says:

"
Readers are referred to [MS-SFU] for protocol details, but the premise
behind S4U2Self is that a service requests a ticket from itself, to
itself, presenting some additional preauthentication data containing the
name of the user it has presumably authenticated. The KDC, after making
any access checks, returns a ticket with the client-name rewritten to
that in the preauthentication data. The server name is unchanged. 
"

It follows that one could use the initiator name from an established
security context.  Yes, that's twisting things around a bit.

Nico
--