Shibboleth Developers

[Shilen Patel <>]

Scott Cantor wrote:
> > The proxy token is treated like a password by the applications, but the
> > PAM module verifies the ticket data and checks the lifetime.  If we used
> > just any static attribute, that would not be secure.
> >     
>
> Ok, but if it's a binary blob, what's the significant difference between the
> original service ticket and this thing?
>
> -- Scott
>
>
>   

Ok, let me try to clarify.  The blob that we're requesting is the part 
of the ticket that is encrypted by the backend service's key.  The 
difference is that the blob is not encrypted in the requester's key. 

The reason for this request comes in for applications that need to 
interact with a backend service that does not know anything about GSSAPI 
and can only accept a user name and password.  We clearly don't want the 
password sent to the backend to be the actual user password.  The 
password also cannot be the service ticket because the backend service 
will not be able to decrypt it.  So instead, the application will send 
the blob as the password. 

The alternative mentioned is to have the application decrypt the ticket 
and send just the blob to the backend.  However, this means every 
application that uses the backends mentioned has to have the libraries 
to decrypt the service ticket.  We can give each application owner the 
list of steps to do this and write code in every language we can think 
of to decrypt the ticket, but that's not ideal.


Thanks,

-- Shilen