Advice on cross-realm PKINIT?

[Nico Williams]

I've actually written an I-D on using kx509 + cross-realm PKINIT as a PKCROSS.

There's no reason that an AS couldn't support it, but it would mean a
number of changes to existing ASes.

Alternatively this should be done in the TGS protocol.  That would
mean fewer surprising changes.  (It'd be surprising for an AS to issue
a Ticket without INITIAL or with non-empty transit path, for example.)

Nico
--