40 likes | 124 Views
Kerberos for Web Services. Larry Zhu Microsoft IETF67. Problem Statements . KDC Access. WS KERB . Proxy through GSS-API acceptor WS_KRB_PROXY 05 01 WS-KRB-HEADER ::= SEQUENCE { proxy-data [1] ProxyData , ... } ProxyData :: = SEQUENCE { realm [1] Realm,
E N D
Kerberos for Web Services Larry Zhu Microsoft IETF67
Problem Statements • KDC Access
WS KERB • Proxy through GSS-API acceptor • WS_KRB_PROXY 05 01 WS-KRB-HEADER ::= SEQUENCE { proxy-data [1] ProxyData, ... } ProxyData :: = SEQUENCE { realm [1] Realm, cookie [3] OCTET STRING OPTIONAL ... }
PKU2U • Public Key based User to User authentication protocol for peer-to-peer systems • Use PKINIT/RFC4556 and RFC4120 messages • Replace the KDC with the application server • All traffic tunneled using GSS-API messages • Use RFC4121 for all GSS-API primitives