Next: 7.1.4 How does SESAME
Up: 7.1 SESAME
Previous: 7.1.2 How does SESAME
Linda Gricius (April, 1998):
Similar work, aimed specifically at UNIX systems, has been done by the Massachusetts
Institute of Technology which has developed a basic distributed single sign-on
technology called Kerberos. Kerberos has been proposed as an Internet standard
(RFC1510).
In the light of this work, the SESAME project decided that in its early implementation
some of the SESAME components would be accessible through the Kerberos V5 protocol
(as specified in RFC1510),
and would use Kerberos data structures, as well as new SESAME ones. This has
shown unequivocally that a product quality approach reusing selected parts of
the Kerberos specification is workable and that a world standard is possible
incorporating features of both technologies. SESAME extends Kerberos in the
following ways:
- It introduces user privilege attributes, contained in a digitally signed Privilege
Attribute certificate (PAC) and issued by a Privilege Attribute Service (PAS).
This enables users to carry various identities and privileges (groups, roles
and any locally defined attribute types) rather than a simple "name"
as Kerberos provides.
- SESAME also uses public keys, optionally, in the formation of associations between
clients and targets. Kerberos uses secret key technology only.
- SESAME has controlled delegation of privileges (PACs), so that targets can proxy
their client's privileges to call other services on their behalf (rather than
calling them as themselves). Kerberos has only uncontrolled delegation, and
SPKM has no delegation.
Regardless of the security mechanism used, the DAIS Security service accesses
the mechanism via a generic API, called the Generic Security Services API or
GSS-API. This is a standard API that presents the same interface to the caller,
regardless of the mechanism underneath being used to implement the functions.
Next: 7.1.4 How does SESAME
Up: 7.1 SESAME
Previous: 7.1.2 How does SESAME