[36193] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Advice on cross-realm PKINIT?

daemon@ATHENA.MIT.EDU (Nico Williams)
Mon Jun 9 16:12:27 2014

MIME-Version: 1.0
In-Reply-To: <53961113.2070306@mit.edu>
Date: Mon, 9 Jun 2014 15:12:08 -0500
Message-ID: <CAK3OfOgS1AFtCtDqAZFo-6RM6PEYATadZ-MqEsTWvUHJK8zUMA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

I've actually written an I-D on using kx509 + cross-realm PKINIT as a PKCROSS.

There's no reason that an AS couldn't support it, but it would mean a
number of changes to existing ASes.

Alternatively this should be done in the TGS protocol.  That would
mean fewer surprising changes.  (It'd be surprising for an AS to issue
a Ticket without INITIAL or with non-empty transit path, for example.)

Nico
--
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[36193] in Kerberos

Re: Advice on cross-realm PKINIT?

daemon@ATHENA.MIT.EDU (Nico Williams)Mon Jun 9 16:12:27 2014

daemon@ATHENA.MIT.EDU (Nico Williams)
Mon Jun 9 16:12:27 2014