Archive for October, 2010

Moonshot at Kerberos

Thursday, October 28th, 2010 by hartmans

At The MIT Kerberos Consortium‘s 2010 conference, Josh Howlett and Sam Hartman delivered a talk on Moonshot. Slides should be up in a day or so. We reported on status and gave a brief overview.

The new material was apropos for the venue. At the bar BOF back in March at IETF 77, we received several comments on Moonshot’s limitations. It doesn’t work well for services that require rapid authentications for multiple requests. There’s not a good story for use when a Moonshot service needs to contact another service. There isn’t a good standardized mechanism for mapping in domain-specific policy.

We presented a proposal that Luke and Sam developed to optionally provide a Kerberos ticket as part of moonshot authentication. This scales from a service that simply generates its own service tickets all the way through resource domains that have many services and complex policy and provide the client a TGT. Clients can implement the feature in order to achieve better performance. Server can implement the feature in order to get delegation support within a resource domain and to get policy mapping.

Luke has prototyped a version of this service involving a service ticket. We plan on briefly mentioning a desire to have extensible fast reauthentication support at the ABFAB meeting in IETF 79. However in the interest of getting the working group off to a good start we’re going to focus on the well understand parts of the system and formally propose this extension after IETF 79.

ABFAB working group approved

Wednesday, October 13th, 2010 by hartmans

Yesterday, the Application Bridging for Federated Authentication working group was approved in the IETF. This working group’s charter includes the IETF technologies needed by Project Moonshot. The group will meet at IETF 79 in Beijing this November.

Meanwhile, at last month’s Moonshot meeting in Copenhagen, an initial version of the technology was demonstrated. We’re still working through some of the administrative details needed before we can release the code for public review. There have been several exciting discussions both on the Moonshot implementation list and on the ABFAB list over the past few weeks.