[36833] in Kerberos
Re: Smart lock protocol
daemon@ATHENA.MIT.EDU (Rick van Rein)
Mon Mar 9 10:25:29 2015
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <CAJ2H98he_KqV6Kykoxm9R1e-ZJqdch8sq9-M-4B971AVsUnoQw@mail.gmail.com>
Date: Mon, 9 Mar 2015 15:24:56 +0100
Message-Id: <8DC57BA2-A9C8-42A3-B44F-84C5C3203C25@openfortress.nl>
To: Simon Peeters <simonpeeters90@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Simon,
First off, Kerberos-enabled front doors sound really cool to me.
It would be a lovely showcase of the protocol, and although it’s
not mainstream thinking it may turn out to be a genius idea.
But you and your visitors would need to setup a KDC link, get a
TGT and then a service ticket. If you wrap that all up in your
app and provide the required access to the KDC to your guests
you should be fine. Your guests would probably enter a fixed
PIN on their devices as the password to get the TGT. The cleaning
people could use the same PIN everywhere this system was
used, and the separation between homes would still be secure
as long as the same TGT was used (implies realm crossover).
You would end up setting up some form of authorisation (just a
lookup table of some sorts, for example, or simply scripted rules)
for your various guests, switching based on their Kerberos-
authenticated user identities.
More conventional thinking, and IMHO not nearly as interesting,
would be to assign a public key (possibly wrapped up in an X.509
cert of PGP key) and manage which public keys may be used.
You’ll end up managing keys and noticing how difficult that is;
especially storing the private keys securely may be a drama.
If you build with Kerberos technology and embedded in some sort
of app then I’m pretty sure you’ll get popular for it. If you go the
traditional way and use pubkeys with badly protected private keys
nobody will notice it. Does that tickly you to continue on your path
with Kerberos, even if it’s a bit out of the ordinarily? I for one would
love to see what you cook up — and it *is* possible.
Cheers,
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
