Transcript Kerberos for Web Services Larry Zhu Microsoft IETF67

Kerberos for Web Services
Larry Zhu
Microsoft
IETF67
Problem Statements
• KDC Access
WS KERB
• Proxy through GSS-API acceptor
• WS_KRB_PROXY 05 01
WS-KRB-HEADER ::= SEQUENCE {
proxy-data [1] ProxyData, ... }
ProxyData :: = SEQUENCE {
realm [1] Realm,
cookie [3] OCTET STRING OPTIONAL
... }
PKU2U
• Public Key based User to User authentication
protocol for peer-to-peer systems
• Use PKINIT/RFC4556 and RFC4120 messages
• Replace the KDC with the application server
• All traffic tunneled using GSS-API messages
• Use RFC4121 for all GSS-API primitives