[36325] in Kerberos
RE: revocation feature in Kerberos
daemon@ATHENA.MIT.EDU (Nordgren, Bryce L -FS)
Thu Jul 31 19:49:32 2014
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: "'Nico Williams'" <nico@cryptonector.com>
Date: Thu, 31 Jul 2014 23:49:05 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E70CE7D@001FSN2MPN1-045.001f.mgd2.msft.net>
In-Reply-To: <CAK3OfOj9udC8_U_pSbhLWNvhDR+nTSta=Uwd_3DEncE4AX9Npw@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
Cc: "'kerberos@mit.edu'" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> No, the only way in which a revocation protocol for Kerberos makes any
> sense to me is one that involves propagating notices to those services (TGSes
> included) for which the principal in question got extant tickets.
Good. :) Do that.
Seems that the KDC would have to be upgraded with connection info for services (can't trust that instance name == dns; can't trust that the service is running on the standard port).
Oh, and if the service is httpd, slapd, or nfs using principal "host/example.com", how does one figure out which service to contact?
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
