Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] 2-factor authentication

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] 2-factor authentication


Chronological Thread 
  • From: Peter Williams <>
  • To: "" <>
  • Subject: RE: [Shib-Dev] 2-factor authentication
  • Date: Fri, 26 Nov 2010 11:10:50 -0800
  • Accept-language: en-US
  • Acceptlanguage: en-US

The internet ppt has material on computer/user-based Kerberos auth to a
windows domain (using SPEGNO negotiation). Obviously, the workstation is
being managed as a kerberos-capable domain-member, which typically means the
machine is under group policy control of a domain controller that controls
the lifecycle of the Kerberos channels in the NOS.

The ppt then goes on to say that user certs are hard (as don't apply
them...). In the context of the above, computer certs for sso client auth are
actually easy to manage - as group policy does all the work
enrolling/re-enrolling the workstation's computer cert store with ssl client
-auth-capable certs and associating keys etc. Any certified windows admin can
do this.

This is relevant as computer-based (vs user-based) certs for ssl client-auth
are browser-independent. They get used in websso however when one desires to
protect the OS-delivered SPEGNO process against SSL MITM. A better auth
handler in an IDP applies the computer (not user) client auth at the ssl
level to the http auth headers themselves (including those conducting SPEGNO
negotiations), so SSL's evidences allow detection of https proxies by the
(enhaced) SPEGNO protocol engines.

The SSL evidences are not merely providing a tunnel, within which HTTP header
are delivered (aka https). They are protecting the SPEGNO handshake itself,
WITHIN an HTTP flow.

(One needs workstations with windows vista and later, to make this all
practical.)

-----Original Message-----
From:


[mailto:]
On Behalf Of Chad La Joie
Sent: Friday, November 26, 2010 9:47 AM
To:

Subject: Re: [Shib-Dev] 2-factor authentication

The consortium just finished with the last bit of information needed for the
new roadmap. I hope to have the roadmap on the shib site updated today, so
check back on Monday.

On 11/26/10 12:32 PM, Tom Scavo wrote:
> There was a lot of very interesting discussion re 2-factor
> authentication and one-time passwords at the Fall 2010 Internet2
> Member Meeting:
>
> http://www.internet2.edu/presentations/fall10/20101101-ShibWG-cantor-l
> ajoie.pdf
>
> but I'm not finding the above topic on the IdP roadmap:
>
> https://spaces.internet2.edu/display/SHIB2/IdPRoadmap
>
> Where does 2-factor authn fit on the Shib roadmap?
>
> FWIW, InCommon is very interested in this work and would be willing to
> contribute in some way.
>
> Thanks,
> Tom
>

--
Chad La Joie
http://itumi.biz
trusted identities, delivered



Archive powered by MHonArc 2.6.16.

Top of Page