NIST LOAs and Kerberos
John Devitofranceschi
jdvf at optonline.net
Fri Mar 30 09:05:35 EDT 2012
On Mar 30, 2012, at 8:23, Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:
>> Does this mean that in order to consider one's KDC infra LOA3 compliant
>> one needs to hold the principal database in a compliant hardware
>> security module? Or am I missing something here?
>
> You're in trouble even if you did that anyway. Look at section 9.3.2.2.
> By my reading of that, with the traditional use of Kerberos you can't
> go above Level 1.
>
> --Ken
Yes I read that. :(
But if we use a smart card (LOA4 compliant) to log in and obtain Kerberos credentials, is it at all possible for one to claim that the requirements specified in 9.3.2.4 are satisfied and then use Kerberos tickets as assertions at Level 4?
jd
More information about the Kerberos
mailing list