What happened to PKCROSS?
Nico Williams
nico at cryptonector.com
Tue Jul 1 16:10:34 EDT 2014
On Tue, Jul 1, 2014 at 1:01 PM, Rick van Rein <rick at openfortress.nl> wrote:
> I’ve been thinking about realm-crossing lately, specifically between hitherto unknown parties — that is, for use across the general Internet.
I have too. I've an Internet-Draft on the subject. I intend to
update it soon. If all goes well I might find myself implementing a
few months from now, or if not maybe we can con someone else into
doing it.
My plan is roughly:
- kx509 (local realm) -> PKINIT at remote realm to get a TGT for
krbtgt/REMOTE at REMOTE
- add an ephemeral, cacheable mechanism by which KDCs can bootstrap a
symmetric x-realm principal key
- add a way to make one of those keys permanent
- use DANE for realm public key authentication
- use DANE stapling to avoid the need for slow I/O in KDCs
The only part of this that's difficult at all is the DANE stapling part.
The PKINIT part is just a matter of tweaking policy code on the AS side.
The kx509 part is easy (though I think the protocol should be revised
so it can go on the Standards track) as code exists and the protocol
is rather simple (it's just a kerberized service that takes a public
key from the client and returns a short-lived certificate for the same
key with the client's principal name as the subject).
Transit path handling is easy: all transit paths become hierarchical
paths when using DANE. (But when using PKIX transit path processing
gets complicated as we must then implement X500 style realm naming.)
Nico
--
More information about the Kerberos
mailing list