[36199] in Kerberos
RE: Advice on cross-realm PKINIT?
daemon@ATHENA.MIT.EDU (Nordgren, Bryce L -FS)
Mon Jun 9 21:31:23 2014
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: Nico Williams <nico@cryptonector.com>
Date: Tue, 10 Jun 2014 01:30:46 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E6D4B16@001FSN2MPN1-044.001f.mgd2.msft.net>
In-Reply-To: <CAK3OfOhNL1i0JX9F-wX=s=3ZxGED4dNJeRLprnKWbMkx2w0B-w@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> The "problem" is that other "invariants" are violated by using AS for x-
> realm, as I mentioned earlier.
What kinds of issues are these invariant violations likely to cause? Would it be an obstacle to using the TGT to get services in the domain that issued it?
> Nonthing that can't be overcome, and my idea
> is to use TGS anyways, but with a PKINIT pre-auth instead of PA-TGS, and
> with a "cross-realm"
> certificate (really, a cert issued most-likely by a kx509 CA -- an issuer that
> wouldn't be part of the target TGS' issuers for its realm's client principals).
I have to re-read your PKCROSS draft. It's been a while. What I'm angling for here is a means to support mechanism 3 on this page: http://www.freeipa.org/page/Collaboration_with_Kerberos (Logging in with a SASL/GSSAPI client). Essentially, I need to issue a TGT to nonkerberos identities, which requires synthesizing a foreign Kerberos cname/crealm.
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
