[OpenAFS] Re: feasibility of moving lightweight-principals issue "upstream" to kerberos

Adam Megacz megacz@cs.berkeley.edu
Fri, 30 Dec 2005 20:37:36 -0800

Jeffrey Hutzelman <jhutz@cmu.edu> writes:
>> I'm willing to contribute substantial developer-hours to realizing the
>> goal of easy, administrator-intervention-free cross-realm and
>> non-realm authentication.

> Cross-realm authentication is always going to be at the discretion of
> the realm administrators involved; that's a policy issue, not a
> technical one.

Yes, I think this is the main thing I've learned from this discussion.
But the current technological situation is preventing administrators
from choosing the policy "let the users decide" if the admins want to.

> However, it is possible to build a public-key-based mechanism which
> would make it possible to perform cross-realm authentication without
> requiring manual intervention by the realm admins each time.

Okay, you're right.  There are projects out there that are working on
solving this -- and this covers half my concern.  The other half is
users who do not belong to a realm (ie those users who are not
affiliated with a university and don't have their own server to run a
private KDC on).

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380