What happened to PKCROSS?

Nico Williams nico at cryptonector.com
Tue Jul 1 16:10:34 EDT 2014


On Tue, Jul 1, 2014 at 1:01 PM, Rick van Rein <rick at openfortress.nl> wrote:
> I’ve been thinking about realm-crossing lately, specifically between hitherto unknown parties — that is, for use across the general Internet.

I have too.  I've an Internet-Draft on the subject.  I intend to
update it soon.  If all goes well I might find myself implementing a
few months from now, or if not maybe we can con someone else into
doing it.

My plan is roughly:

 - kx509 (local realm) -> PKINIT at remote realm to get a TGT for
krbtgt/REMOTE at REMOTE

 - add an ephemeral, cacheable mechanism by which KDCs can bootstrap a
symmetric x-realm principal key

 - add a way to make one of those keys permanent

 - use DANE for realm public key authentication

 - use DANE stapling to avoid the need for slow I/O in KDCs

The only part of this that's difficult at all is the DANE stapling part.

The PKINIT part is just a matter of tweaking policy code on the AS side.

The kx509 part is easy (though I think the protocol should be revised
so it can go on the Standards track) as code exists and the protocol
is rather simple (it's just a kerberized service that takes a public
key from the client and returns a short-lived certificate for the same
key with the client's principal name as the subject).

Transit path handling is easy: all transit paths become hierarchical
paths when using DANE.  (But when using PKIX transit path processing
gets complicated as we must then implement X500 style realm naming.)

Nico
--



More information about the Kerberos mailing list