[36322] in Kerberos
RE: revocation feature in Kerberos
daemon@ATHENA.MIT.EDU (Nordgren, Bryce L -FS)
Thu Jul 31 19:23:19 2014
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: "'Benjamin Kaduk'" <kaduk@mit.edu>,
"'kerberos@mit.edu'" <kerberos@mit.edu>
Date: Thu, 31 Jul 2014 23:22:23 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E70CA49@001FSN2MPN1-045.001f.mgd2.msft.net>
In-Reply-To: <alpine.GSO.1.10.1407311841150.21571@multics.mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Beware the asymmetry.
When considering schemes like this, please be on the lookout for new connectivity requirements. Consider an organization with a tightly guarded KDC on their intranet, to which all the employees authenticate. Outside their firewall is another KDC with "supplemental" external users and hosts. The normal connection pattern for employees would be to kinit inside the firewall, traverse a trust outside the firewall, and finally connect to the server.
The server outside the firewall cannot contact the KDC which manages the user principals.
Neither can the KDC which manages the public-facing, company managed network.
Revocation schemes must account for situations where parties other than the authenticated user cannot contact the user's home KDC.
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
