[4109] in Kerberos
Re: kerberos limit ?
daemon@ATHENA.MIT.EDU (Shawn Mamros)
Sat Oct 29 03:12:39 1994
To: kerberos@MIT.EDU
Date: Fri, 28 Oct 1994 08:37:20
From: mamros@ftp.com (Shawn Mamros)
Reply-To: mamros@ftp.com
gaskell@thunder.dstc.qut.edu.au (Gary Gaskell) writes:
>PS I think Kerberos is critised for scalibility, not due to the number of
>people in a realm, but as inter-realm requires bi-lateral key management,
>using secret key technology. This is not scalible to global info systems.
[...]
True for V4. Not true for V5 - cross-realm authentication can traverse
multiple realms if they're set up in a tree-structured fashion, somewhat
similar to DNS. If, for example, you're in realm BAR.COM, and I'm in
FOO.COM, then if there's a realm named simply COM that we both exchange
cross-realm keys with, our two realms can cross-authenticate without
our having to exchange keys. When there is one or more "intermediate"
realms providing cross-realm authentication, the list of the realms
traversed is available as part of the ticket, so an application server
could still reject a cross-realm ticket if it passes through an "untrusted"
realm.
See RFC 1510 for further information on this and many other features...
-Shawn Mamros
E-mail to: mamros@ftp.com
