[36851] in Kerberos
Re: Concealing user principal names for realm crossover
daemon@ATHENA.MIT.EDU (Rick van Rein)
Mon Mar 16 10:20:26 2015
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <1426358633.2981.53.camel@willson.usersys.redhat.com>
Date: Mon, 16 Mar 2015 11:46:56 +0100
Message-Id: <A66E2D69-F330-4E95-B9DC-C56B136E7B83@openfortress.nl>
To: Simo Sorce <simo@redhat.com>
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello,
Simo Sorce wrote:
>> * Is this concealment of user names considered a good idea?
>
> It may be useful
I now realise I didn’t state my purposes:
* the ability of a remote service to configure access to roles/groups, and leave the assignment of individuals to roles/groups to the sender realm
* privacy of authentication names towards remote realms that may be totally unknown
* more control over return communication by using different names towards different remote parties
>> * Is the idea of going through user/role with KDC-enforced policy good?
>
> I do not think the idea of changing principal names to be particularly
> good.
The path user@MYREALM -> user/group@MYREALM -> group@MYREALM is just one way of doing this, I suppose. It’d be a realm-internal implementation choice to do it this way. I would be interested to learn what you dislike about it?
>> * Am I correct that there are no protocol elements for it yet?
>
> No, there is Authorization Data which you should use for this kind of
> messaging. You can use the CAMMAC now to be able to assign roles in a
> custom AD and have it transported from your TGT to service tickets w/o
> further processing power spent at TGS time.
Thanks, will study.
>> * Are the ideas under (1) and (2) above worth considering?
>
> Probably not. (1) should be handle with additional Authorization Data
> (2) probably using FAST into a pkinit anonymous channel.
Thanks.
-Rick
P.S. I know this overlaps Kitten activity; I wanted to poll on this user-oriented list first.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
