Concealing user principal names for realm crossover

[Rick van Rein]

Hello,

Simo Sorce wrote:

>> * Is this concealment of user names considered a good idea?
> 
> It may be useful

I now realise I didn’t state my purposes:

* the ability of a remote service to configure access to roles/groups, and leave the assignment of individuals to roles/groups to the sender realm
* privacy of authentication names towards remote realms that may be totally unknown
* more control over return communication by using different names towards different remote parties

>> * Is the idea of going through user/role with KDC-enforced policy good?
> 
> I do not think the idea of changing principal names to be particularly
> good.

The path user at MYREALM -> user/group at MYREALM -> group at MYREALM is just one way of doing this, I suppose.  It’d be a realm-internal implementation choice to do it this way.  I would be interested to learn what you dislike about it?

>> * Am I correct that there are no protocol elements for it yet?
> 
> No, there is Authorization Data which you should use for this kind of
> messaging. You can use the CAMMAC now to be able to assign roles in a
> custom AD and have it transported from your TGT to service tickets w/o
> further processing power spent at TGS time.

Thanks, will study.

>> * Are the ideas under (1) and (2) above worth considering?
> 
> Probably not. (1) should be handle with additional Authorization Data
> (2) probably using FAST into a pkinit anonymous channel.

Thanks.

-Rick

P.S. I know this overlaps Kitten activity; I wanted to poll on this user-oriented list first.