[36569] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: What happened to PKCROSS?

daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Oct 24 12:55:12 2014

MIME-Version: 1.0
Date: Fri, 24 Oct 2014 11:54:55 -0500
Message-ID: <CAK3OfOhArjbPZqv+7hwDpSUSxjW=YXo3=d=2TKWXNUnL1mq+vA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Rick van Rein <rick@openfortress.nl>, "kitten@ietf.org" <kitten@ietf.org>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

FYI, I just submitted draft-williams-kitten-krb5-pkcross-03.

It still needs some work, obviously (e.g., DANE RRset stapling).  But
it's closer.

In particular I've added details on how a TGS can drive PKCROSS.  It
turns out to be quite simple...

TODO:

 - add a new KDC error code by which a KDC can indicate that it is
rejecting a foreign realm PKINIT request by a non-KDC client

 - add a reference(s) for DANE stapling

 - maybe remove all TOFU/LoF text (since it could go in a separate I-D)

 - ...

Nico
--
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[36569] in Kerberos

Re: What happened to PKCROSS?

daemon@ATHENA.MIT.EDU (Nico Williams)Fri Oct 24 12:55:12 2014

daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Oct 24 12:55:12 2014