[36569] in Kerberos
Re: What happened to PKCROSS?
daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Oct 24 12:55:12 2014
MIME-Version: 1.0
Date: Fri, 24 Oct 2014 11:54:55 -0500
Message-ID: <CAK3OfOhArjbPZqv+7hwDpSUSxjW=YXo3=d=2TKWXNUnL1mq+vA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Rick van Rein <rick@openfortress.nl>, "kitten@ietf.org" <kitten@ietf.org>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
FYI, I just submitted draft-williams-kitten-krb5-pkcross-03.
It still needs some work, obviously (e.g., DANE RRset stapling). But
it's closer.
In particular I've added details on how a TGS can drive PKCROSS. It
turns out to be quite simple...
TODO:
- add a new KDC error code by which a KDC can indicate that it is
rejecting a foreign realm PKINIT request by a non-KDC client
- add a reference(s) for DANE stapling
- maybe remove all TOFU/LoF text (since it could go in a separate I-D)
- ...
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos