[36197] in Kerberos
Re: Advice on cross-realm PKINIT?
daemon@ATHENA.MIT.EDU (Nico Williams)
Mon Jun 9 20:59:38 2014
MIME-Version: 1.0
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E6D4A9B@001FSN2MPN1-044.001f.mgd2.msft.net>
Date: Mon, 9 Jun 2014 19:59:18 -0500
Message-ID: <CAK3OfOhNL1i0JX9F-wX=s=3ZxGED4dNJeRLprnKWbMkx2w0B-w@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Jun 9, 2014 at 7:36 PM, Nordgren, Bryce L -FS
<bnordgren@fs.fed.us> wrote:
> I think it's a bit harsh to claim cross-realm AS is not supported by the protocol. [...]
Indeed, the fact that the client and server realm can't differ in the
AS-REQ doesn't mean that the pre-auth in the AS-REQ can't indicate the
client's true realm. The "problem" is that other "invariants" are
violated by using AS for x-realm, as I mentioned earlier. Nonthing
that can't be overcome, and my idea is to use TGS anyways, but with a
PKINIT pre-auth instead of PA-TGS, and with a "cross-realm"
certificate (really, a cert issued most-likely by a kx509 CA -- an
issuer that wouldn't be part of the target TGS' issuers for its
realm's client principals).
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
