Advice on cross-realm PKINIT?
Nico Williams
nico at cryptonector.com
Mon Jun 9 20:59:18 EDT 2014
On Mon, Jun 9, 2014 at 7:36 PM, Nordgren, Bryce L -FS
<bnordgren at fs.fed.us> wrote:
> I think it's a bit harsh to claim cross-realm AS is not supported by the protocol. [...]
Indeed, the fact that the client and server realm can't differ in the
AS-REQ doesn't mean that the pre-auth in the AS-REQ can't indicate the
client's true realm. The "problem" is that other "invariants" are
violated by using AS for x-realm, as I mentioned earlier. Nonthing
that can't be overcome, and my idea is to use TGS anyways, but with a
PKINIT pre-auth instead of PA-TGS, and with a "cross-realm"
certificate (really, a cert issued most-likely by a kx509 CA -- an
issuer that wouldn't be part of the target TGS' issuers for its
realm's client principals).
Nico
--
More information about the Kerberos
mailing list