Delegation and Moonshot
lukeh at padl.com
Tue Apr 5 19:43:05 EDT 2011
> Very interesting work but I need to catch up a bit. I assume we as a
> community are no longer shouting down the thought of kerberos ticket
> mediated transmission of authorization information as the incarnation
> of evil....? :-)
I think the success of Active Directory silenced that argument. Also, the fact that we have reasonable (if imperfect) authorisation data plugin APIs, both at the KDC and GSS layers, makes it possible to develop these things independently. In some respects, the naming extensions SPI is the most important, because it provides a consistent way to surface authorisation data to the application.
> That seemed to be the case 8 years ago or so when we were working on
> the problem of identity linked service authorization assertions.
> There seemed to be a plethora of issues raised surrounding the
> inability of anything in the ecosystem to handle kerberos tickets
> which enclosed auth_data encoded payloads. If I remember correctly
> the thought of loading any type of XML data as authorization
> information was voiced as profoundly repugnant.
I suspect a lot of people would still share that argument. I'm not forcing this down anyone's throats, though, it's really just a personal research project ;-)
>> From the last pair of quoted paragraphs above it would seem the KDC
> will now be involved in what amounts to authorization policy
> decisions. I'm assuming the KDC will simply issue a naked ticket if
> any aspect of the assertion verification fails?
Correct (or, if it can, it will generate a new one from information in the directory). I haven't attempted to address ticket issue policy.
> We had the KDC involved in the authorization process and I distinctly
> remember Sam Hartman's objection that this was a serious security
> problem as it was the KDC's intrinsic duty to always issue a properly
> formed ticket based only on the presentation of an authentication
> credential. I noted with interest when I read all the Moonshot
> documentation that Sam's Painless was engaged for Moonshot's
> feasibility analysis.
Well, to be clear, this research into delegation is not sponsored or necessarily endorsed by the Moonshot project. Nor is Moonshot Kerberos; it's an independent GSS mechanism (that happens to use some RFC 4121 tokens).
More information about the krbdev