[OpenAFS-devel] RT, Gerrit, Release Management changes

[Booker Bense]

On Fri, Oct 5, 2012 at 9:02 PM, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>>> Would it be feasible for us to 'eat our own dogfood', so to speak, and
>>> use SPNEGO and cross-realm Kerberos to log into RT? (If this is already
>>> implemented, and I haven't noticed, then I will volunteer myself to go
>>> document it better)
>>
>>Cross-realm isn't really a workable solution unless you have tight coordination
>>between realms and general agreement about security policies.
>
> That has NOT been my experience, and we use cross-realm a lot (probably
> more than most sites).  I think there's no reason why we couldn't do
> what Troy is suggesting (other than the kinda pain-in-the-ass part of
> actually setting up cross-realm).


The technical part of cross-realm works just fine, it's the political
part that becomes difficult.
If for instance, the people that give you money want to implement a
policy in which all keys
in the KDC are updated every six months, then you have to do the PITA
part with all
the other realms every six months. And how do you justify to auditors
that the people you're
letting in from the remote realm follow your policies for account verification?

- Booker C. Bense