[4115] in Kerberos
Re: kerberos limit ?
daemon@ATHENA.MIT.EDU (Joe Ramus)
Mon Oct 31 12:13:07 1994
Date: Mon, 31 Oct 94 09:00:31 PST
From: ramus@nersc.gov (Joe Ramus)
To: kerberos@MIT.EDU, mamros@ftp.com
>> Date: Fri, 28 Oct 1994 08:37:20
>> From: mamros@ftp.com (Shawn Mamros)
>> Organization: FTP Software, North Andover, Massachusetts
>>
>> gaskell@thunder.dstc.qut.edu.au (Gary Gaskell) writes:
>> >PS I think Kerberos is critised for scalibility, not due to the number of
>> >people in a realm, but as inter-realm requires bi-lateral key management,
>> >using secret key technology. This is not scalible to global info systems.
>> [...]
>>
>> True for V4. Not true for V5 - cross-realm authentication can traverse
>> multiple realms if they're set up in a tree-structured fashion, somewhat
>> similar to DNS. If, for example, you're in realm BAR.COM, and I'm in
>> FOO.COM, then if there's a realm named simply COM that we both exchange
>> cross-realm keys with, our two realms can cross-authenticate without
>> our having to exchange keys. When there is one or more "intermediate"
>> realms providing cross-realm authentication, the list of the realms
>> traversed is available as part of the ticket, so an application server
>> could still reject a cross-realm ticket if it passes through an "untrusted"
>> realm.
>>
>> See RFC 1510 for further information on this and many other features...
>>
>> -Shawn Mamros
>> E-mail to: mamros@ftp.com
There is no need for "a tree-structured fashion".
The ESnet Kerberos Pilot project has demonstrated a "Configured" set
of trusted realms. For example:
FOO.COM shares keys with BIG.GOV who also shares keys with TOP.NET.
And BAR.COM shares keys with TOP.NET.
Now there is a trusted path from FOO.COM to BAR.COM.
And also a path from BAR.COM to BIG.GOV.
This code may be in the latest MIT release of Kerberos 5:
Beta 4 patchlevel 3
----------------------------------------------------------------
| Joe Ramus NERSC Livermore (510) 423-8917 ramus@nersc.gov |
----------------------------------------------------------------
