Hello, I’ve been thinking about realm-crossing lately, specifically between hitherto unknown parties — that is, for use across the general Internet.
With DANE installed as an RFC, I can see ways of placing public keys and/or X.509 certificates in signed DNS, thus enabling strong security for a KDC which uses such certificates. Better even, the DANE entries mention the service port, so they’re even adding information to separate the KDC from other services. Then I ran into PKCROSS, a seemingly promising attempt at doing just this, except that it probably preceeded DANE and ran into certificate distribution problems. Or was this not what happened to it? I cannot find anything but hopes and promises; why has it never advanced into an RFC? Thanks, Rick van Rein OpenFortress ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
