[36638] in Kerberos
Re: PPTP / L2TP with Kerberos -- what specs does it follow?
daemon@ATHENA.MIT.EDU (Rick van Rein)
Sun Nov 30 15:34:17 2014
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <82E7C9A01FD0764CACDD35D10F5DFB6E75C8A3@001FSN2MPN1-044.001f.mgd2.msft.net>
Date: Sun, 30 Nov 2014 21:33:58 +0100
Message-Id: <D26EC735-6D85-4A1B-90BC-398CDD4FC8B2@openfortress.nl>
To: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
> Kerberos is not a complete identity solution.
As I understand Kerberos, it IS…
* a complete local authentication platform
* a statically configurable realm-xover authentication platform
…and it IS NOT…
* an on-the-fly realm-xover authentication platform
* an authorisation platform
The first one is a miss, and is being worked on (PKCROSS, the KREALM record, and ever-improving integration in of protocols).
Authorisation is out of scope, and might need something like LDAP. Note that authorisation requires trust of the protected resource, so it is usually in the same realm, just using the authenitcated identity that has done a realm-xover if necessary.
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
