Unclear about Kerberos' Concepts

Rick van Rein (OpenFortress) rick at openfortress.nl
Sat Oct 5 10:51:51 EDT 2013


Hello Greg,

Thanks for clarifying.

> It is common for a service to contact another service, after using its long-term key to acquire a TGT.

Great.  And that would be a TGT in its own name, as I understand it.

>  It is less common for a user or service to contact a user, though it is possible.

I am thinking about peer-to-peer uses.  It's good to hear that the protocol has no quarrels with that.

> In Kerberos, delegation allows a service to act on your behalf to another service.  It is not common (or easy) to delegate credentials to another principal which acts purely as a client, such as a secretary or bot.

OK.  I wanted to use it for pseudonyms, or more precisely to translate internal account names into external identites.  From what you are saying, this has the best chances if those external names are service names.

Thanks,
 -Rick


More information about the Kerberos mailing list