[3916] in Kerberos
hierarchical realms
daemon@ATHENA.MIT.EDU (*Hobbit*)
Mon Sep 26 01:34:08 1994
To: kerberos@MIT.EDU
Date: 26 Sep 1994 00:41:15 EDT
From: *Hobbit* <hobbit@asylum.sf.ca.us>
An initial protocol could be done now. A pseudo-standard, such as looking
up "kerberos.foo.com" and getting back an address[es] of a KDC, could prevent
krb.conf and krb.realms from suffering "host table" disease as more and
more sites kerberize and need to interact securely with other sites.
If such a thing is spoofed, and an attacker is masquerading as a KDC, how
is said attacker going to be able to hand out tickets with the right
keys in the first place? The user [or his "kinit"] would notice
pretty fast if something was wrong..
_H*
