On Tue, Jul 1, 2014 at 1:01 PM, Rick van Rein <r...@openfortress.nl> wrote: > I’ve been thinking about realm-crossing lately, specifically between hitherto > unknown parties — that is, for use across the general Internet.
I have too. I've an Internet-Draft on the subject. I intend to update it soon. If all goes well I might find myself implementing a few months from now, or if not maybe we can con someone else into doing it. My plan is roughly: - kx509 (local realm) -> PKINIT at remote realm to get a TGT for krbtgt/REMOTE@REMOTE - add an ephemeral, cacheable mechanism by which KDCs can bootstrap a symmetric x-realm principal key - add a way to make one of those keys permanent - use DANE for realm public key authentication - use DANE stapling to avoid the need for slow I/O in KDCs The only part of this that's difficult at all is the DANE stapling part. The PKINIT part is just a matter of tweaking policy code on the AS side. The kx509 part is easy (though I think the protocol should be revised so it can go on the Standards track) as code exists and the protocol is rather simple (it's just a kerberized service that takes a public key from the client and returns a short-lived certificate for the same key with the client's principal name as the subject). Transit path handling is easy: all transit paths become hierarchical paths when using DANE. (But when using PKIX transit path processing gets complicated as we must then implement X500 style realm naming.) Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
