PPTP / L2TP with Kerberos -- what specs does it follow?

Rick van Rein rick at openfortress.nl
Sun Nov 30 15:33:58 EST 2014


Hi,

> Kerberos is not a complete identity solution.

As I understand Kerberos, it IS…

 * a complete local authentication platform
 * a statically configurable realm-xover authentication platform

…and it IS NOT…

 * an on-the-fly realm-xover authentication platform
 * an authorisation platform

The first one is a miss, and is being worked on (PKCROSS, the KREALM record, and ever-improving integration in of protocols).

Authorisation is out of scope, and might need something like LDAP.  Note that authorisation requires trust of the protected resource, so it is usually in the same realm, just using the authenitcated identity that has done a realm-xover if necessary.

-Rick


More information about the Kerberos mailing list