[OpenAFS] feasibility of moving lightweight-principals issue
"upstream" to kerberos
Fri, 30 Dec 2005 16:20:02 -0500
On Thursday, December 29, 2005 11:27:57 PM -0800 Adam Megacz
> I really think it's more of a political issue than anything else; I
> doubt they'd ever accept anything involving public key crypto as an
> "official, standard, core" part of Kerberos.
I'm quite sure you're wrong; there is no political barrier to adding
features to Kerberos which make use of public key crypto. At least, I
haven't noticed any during my time in the IETF.
PKINIT is pretty much complete; once I am convinced that no further work is
required on the one remaining issue, I will ask the responsible Area
Director to take it to the IESG with a request to publish as a proposed
standard. See draft-ietf-cat-kerberos-pk-init-31.txt.
With the current PKINIT spec, it is certainly possible to have a KDC which
issues tickets to clients on the basis of certificates signed by a CA it
trusts, without requiring prior registration of those clients with the KDC.
Of course I'd expect any real-life realm administrator to be rather
conservative about what CA's he trusts, and I can't predict what sort of
principal names such a realm might choose to use in real life.
> I'm willing to contribute substantial developer-hours to realizing the
> goal of easy, administrator-intervention-free cross-realm and
> non-realm authentication.
Cross-realm authentication is always going to be at the discretion of the
realm administrators involved; that's a policy issue, not a technical one.
However, it is possible to build a public-key-based mechanism which would
make it possible to perform cross-realm authentication without requiring
manual intervention by the realm admins each time. This is what PKCROSS is
all about, and while we've turned our attention away from that for a while
to get other things done (PKINIT, updates to the core Kerberos spec, etc),
I'm sure there are people who will be interested in picking up that work
once enough cycles become available. Take a look at
draft-ietf-cat-kerberos-pk-cross, if you can find a copy (try the archive
If you're interested in participating in this work, you should do exactly
what Jeff described -- become active in the IETF Kerberos Working Group.
Subscribe to the email@example.com mailing list (via firstname.lastname@example.org).
Contribute to the ongoing work. Volunteer to edit a draft.