Kerberos referrals
Saber Zrelli
zrelli at jaist.ac.jp
Thu Nov 10 12:41:29 EST 2005
Hi ,
* On 22:56, Wed 09 Nov 05, Ken Raeburn wrote:
> On Nov 9, 2005, at 21:19, Saber Zrelli wrote:
> >I read this draft and I am trying to understand how referrals work.
> >
> >In section 8. "Cross realm routingi", It is said that for server
> >referrals, the KDC takes in charge the optimization of the referral
> >path because it has more information about cross-realm routing.
> >
> >Does this mean that the KDC will provide the client with a TGT and
> >the target realm (where the service is located) in the
> >PA-SERVER-REFERRAL of the reply ?
>
> That's sort of the idea, yes. Though Larry Zhu and I were discussing
> today what happens if the local KDC has no cross-realm key for the
> target realm, but can refer you to an intermediate realm which may
> not be able to do referrals; I think the draft is going to need some
> work to cover that case.
I think that there should be an inter-KDC protocol for referrals,
such a protocol would be something similar to the Internet Routing
Protocol (RIP). KDCs can exchange then their referral capabilities with
their direct connections (other KDCs with which they share keys).
Does it make no sense ?
--
Saber ZRELLI <zrelli at jaist.ac.jp>
Japan Advanced Institute of Science and Technology
Center of Information Science
Shinoda Laboratory
url : http://www.jaist.ac.jp/~zrelli
gpg-id : 0x7119EA78
More information about the Kerberos
mailing list