[36236] in Kerberos
Re: What happened to PKCROSS?
daemon@ATHENA.MIT.EDU (Nico Williams)
Tue Jul 1 16:10:55 2014
MIME-Version: 1.0
In-Reply-To: <56D9F022-45B6-44B1-BAF8-3E42AFDB95EA@openfortress.nl>
Date: Tue, 1 Jul 2014 15:10:34 -0500
Message-ID: <CAK3OfOgWM87oA5JEeevieDKJ9=C9Uxee-xfhBGnzMx-8tzOMYA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Rick van Rein <rick@openfortress.nl>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Tue, Jul 1, 2014 at 1:01 PM, Rick van Rein <rick@openfortress.nl> wrote:
> I’ve been thinking about realm-crossing lately, specifically between hitherto unknown parties — that is, for use across the general Internet.
I have too. I've an Internet-Draft on the subject. I intend to
update it soon. If all goes well I might find myself implementing a
few months from now, or if not maybe we can con someone else into
doing it.
My plan is roughly:
- kx509 (local realm) -> PKINIT at remote realm to get a TGT for
krbtgt/REMOTE@REMOTE
- add an ephemeral, cacheable mechanism by which KDCs can bootstrap a
symmetric x-realm principal key
- add a way to make one of those keys permanent
- use DANE for realm public key authentication
- use DANE stapling to avoid the need for slow I/O in KDCs
The only part of this that's difficult at all is the DANE stapling part.
The PKINIT part is just a matter of tweaking policy code on the AS side.
The kx509 part is easy (though I think the protocol should be revised
so it can go on the Standards track) as code exists and the protocol
is rather simple (it's just a kerberized service that takes a public
key from the client and returns a short-lived certificate for the same
key with the client's principal name as the subject).
Transit path handling is easy: all transit paths become hierarchical
paths when using DANE. (But when using PKIX transit path processing
gets complicated as we must then implement X500 style realm naming.)
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
