revocation feature in Kerberos
Nico Williams
nico at cryptonector.com
Mon Aug 4 13:06:28 EDT 2014
On Sun, Aug 03, 2014 at 11:33:58AM -0700, Booker Bense wrote:
> This whole conversation seems misguided to me. Kerberos is an
> authentication system, not an authorization one. Access to a service
> is an authorization issue. Since there is no universal authorization
> scheme for kerberos applications, any workable revocation system will
> have to build that first. That would be a very useful tool, but I'm
> afraid it might be about 20 years too late.
This isn't about authorization. The thing being revoked is the
principal and/or its extant tickets.
Kerberos' design specifically obviates the need for a revocation system:
use short-lived tickets and you're mostly set.
That said, we've long ago stopped arguing about Kerberos as an
authentication system, and its relevance to authorization. Kerberos is
relevant even to the simplest authorization schemes just by dint of
delivering the key to those schemes: the authenticated identity
(principal name). Often Kerberos also carries authorization-specific
attributes (e.g., PAC, CAMMAC). Either way Kerberos is orthogonal to
authorization, but authentication is integral to authorization,
therefore it's hard to separate the two. Incidentally, the rest of the
world (e.g., SAML) long ago accepted that an attribute model of identity
(and therefore authentication) is more important than the more
traditional Kerberos model.
Nico
--
More information about the Kerberos
mailing list