Hi Rick, I've spent a bit of time pecking away at this over the last six months or so. Current thoughts are here: http://www.freeipa.org/page/Collaboration_with_Kerberos please feel free to edit/criticize/improve. I really haven't looked at DANE.
First thing is that Kerberos for desktops will need some sort of extra user attributes, and it may or may not make sense to respect the attributes defined in the home domain (may want to locally override username/uid/gid to resolve conflicts between uncoordinated external domains, and/or define your own home directory.) Second thing is that preliminary testing indicates that MIT krb5 wants to have a principal defined locally for PKINIT to work. Upshot is that you might need a gateway server to intercept users on first appearance in your local domain in order to allocate an entry for them in whatever serves user attributes for your local domain. At the very least, you need to have something create individual cross-realm principals in the KDC before you attempt to PKINIT. Can maybe do this with plugins for krb5? Haven't got that far. Join in! I'm not all that smart, so I'm pretty sure you can only improve what I did. Bryce > -----Original Message----- > From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On > Behalf Of Rick van Rein > Sent: Tuesday, July 01, 2014 12:01 PM > To: kerberos@mit.edu > Subject: What happened to PKCROSS? > > Hello, > > I've been thinking about realm-crossing lately, specifically between hitherto > unknown parties - that is, for use across the general Internet. > > With DANE installed as an RFC, I can see ways of placing public keys and/or > X.509 certificates in signed DNS, thus enabling strong security for a KDC > which > uses such certificates. Better even, the DANE entries mention the service > port, so they're even adding information to separate the KDC from other > services. > > Then I ran into PKCROSS, a seemingly promising attempt at doing just this, > except that it probably preceeded DANE and ran into certificate distribution > problems. Or was this not what happened to it? I cannot find anything but > hopes and promises; why has it never advanced into an RFC? > > Thanks, > > Rick van Rein > OpenFortress > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
