[36247] in Kerberos
Re: What happened to PKCROSS?
daemon@ATHENA.MIT.EDU (Nico Williams)
Wed Jul 2 16:15:45 2014
MIME-Version: 1.0
In-Reply-To: <D89A3893-24D6-4C83-9B30-CF928A404AAF@openfortress.nl>
Date: Wed, 2 Jul 2014 15:15:29 -0500
Message-ID: <CAK3OfOjiS8uN13Fo37=5aO4bXDPcmhx=nB5cmuqP_2NaustfnQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Rick van Rein <rick@openfortress.nl>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
BTW, DANE stapling is not that hard. I have been pointed at AGL's
code for it. The RP side doesn't need a DNSSEC resolver to implement
it because all the records are stapled, and the RP doesn't need to
implement non-existence checking and so on -- just validate the
signature chain to the RP's DNSSEC root and check "name constraints".
Producing the stapled data is not hard either. There's a Python
script that uses dig(1) that supports this. It needs to learn to be a
daemon that wakes before the shortest TTL passes to refresh the chain.
Stapling should result in fewer external dependencies for the Kerberos
libraries, so that's a big win.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
