[OpenAFS] feasibility of moving lightweight-principals issue "upstream" to kerberos

Jeffrey Hutzelman jhutz@cmu.edu
Fri, 30 Dec 2005 16:20:02 -0500

On Thursday, December 29, 2005 11:27:57 PM -0800 Adam Megacz 
<megacz@cs.berkeley.edu> wrote:

> I really think it's more of a political issue than anything else; I
> doubt they'd ever accept anything involving public key crypto as an
> "official, standard, core" part of Kerberos.

I'm quite sure you're wrong; there is no political barrier to adding 
features to Kerberos which make use of public key crypto.  At least, I 
haven't noticed any during my time in the IETF.

PKINIT is pretty much complete; once I am convinced that no further work is 
required on the one remaining issue, I will ask the responsible Area 
Director to take it to the IESG with a request to publish as a proposed 
standard.  See draft-ietf-cat-kerberos-pk-init-31.txt.

With the current PKINIT spec, it is certainly possible to have a KDC which 
issues tickets to clients on the basis of certificates signed by a CA it 
trusts, without requiring prior registration of those clients with the KDC. 
Of course I'd expect any real-life realm administrator to be rather 
conservative about what CA's he trusts, and I can't predict what sort of 
principal names such a realm might choose to use in real life.

> I'm willing to contribute substantial developer-hours to realizing the
> goal of easy, administrator-intervention-free cross-realm and
> non-realm authentication.

Cross-realm authentication is always going to be at the discretion of the 
realm administrators involved; that's a policy issue, not a technical one. 
However, it is possible to build a public-key-based mechanism which would 
make it possible to perform cross-realm authentication without requiring 
manual intervention by the realm admins each time.  This is what PKCROSS is 
all about, and while we've turned our attention away from that for a while 
to get other things done (PKINIT, updates to the core Kerberos spec, etc), 
I'm sure there are people who will be interested in picking up that work 
once enough cycles become available.  Take a look at 
draft-ietf-cat-kerberos-pk-cross, if you can find a copy (try the archive 
at watersprings.org).

If you're interested in participating in this work, you should do exactly 
what Jeff described -- become active in the IETF Kerberos Working Group. 
Subscribe to the ietf-krb-wg@anl.gov mailing list (via majordomo@anl.gov). 
Contribute to the ongoing work.  Volunteer to edit a draft.

-- Jeff