[36341] in Kerberos
Re: revocation feature in Kerberos
daemon@ATHENA.MIT.EDU (Nico Williams)
Mon Aug 4 13:07:09 2014
Date: Mon, 4 Aug 2014 12:06:28 -0500
From: Nico Williams <nico@cryptonector.com>
To: Booker Bense <bbense@gmail.com>
Message-ID: <20140804170627.GM3579@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAEGpuoid80bP2Gj2E8R4-341VyBryzxTRQHcMbnU3qH+eqWSAQ@mail.gmail.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sun, Aug 03, 2014 at 11:33:58AM -0700, Booker Bense wrote:
> This whole conversation seems misguided to me. Kerberos is an
> authentication system, not an authorization one. Access to a service
> is an authorization issue. Since there is no universal authorization
> scheme for kerberos applications, any workable revocation system will
> have to build that first. That would be a very useful tool, but I'm
> afraid it might be about 20 years too late.
This isn't about authorization. The thing being revoked is the
principal and/or its extant tickets.
Kerberos' design specifically obviates the need for a revocation system:
use short-lived tickets and you're mostly set.
That said, we've long ago stopped arguing about Kerberos as an
authentication system, and its relevance to authorization. Kerberos is
relevant even to the simplest authorization schemes just by dint of
delivering the key to those schemes: the authenticated identity
(principal name). Often Kerberos also carries authorization-specific
attributes (e.g., PAC, CAMMAC). Either way Kerberos is orthogonal to
authorization, but authentication is integral to authorization,
therefore it's hard to separate the two. Incidentally, the rest of the
world (e.g., SAML) long ago accepted that an attribute model of identity
(and therefore authentication) is more important than the more
traditional Kerberos model.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
