EAP-Kerberos

Saber Zrelli zrelli at jaist.ac.jp
Mon Jul 18 14:12:21 EDT 2005


Hi , 

In the IAKERB draft, the followins is said : 

 ===========

6. The IAKERB proxy protocol :
...
The IAKERB proxy is responsible for locating an appropriate KDC using the realm
information in the KDC request message it received from the client.
...
 ============

I appologize for my misleading affirmation, The IAKERB proxy can
be used by the client to obtain cross realm ticket that can be used
in the visited realm. 

I was referring to a KDC instead of an IAKERB proxy. My thoughts are
that these proxying functionalities should be moved to the KDC of
the visited realm. But this would be another topic that I wish to
start soon.

Best Regards,
Saber.

* On 21:55, Sun 17 Jul 05, Sam Hartman wrote:
> >>>>> "Saber" == Saber Zrelli <zrelli at jaist.ac.jp> writes:
> 
>     Saber> when some visiting user would like to connect to a foreign
>     Saber> wireless network, In addition to the bootstrapping problem,
>     Saber> the actual protocol defined by IAKERB does not allow the
>     Saber> operator to authenticate the visiting user since he/she is
>     Saber> not registered in the local DB. Hence there is need to
>     Saber> extend the proxy properties to perform inter-realm
>     Saber> operations (to communicate with the user's home realm ) for
>     Saber> authenticating roaming users.
> 
> For the record, I strongly disagree with the above.
> 
> I don't have time to explain now, but will try to get to it reasonably soon.

-- 
Saber ZRELLI <zrelli at jaist.ac.jp>
Japan Advanced Institute of Science and Technology
Center of Information Science
Shinoda Laboratory
url     : http://www.jaist.ac.jp/~zrelli
gpg-id  : 0x7119EA78


More information about the Kerberos mailing list