capaths questions

Derek Atkins warlord at MIT.EDU
Mon May 17 15:53:13 EDT 2004

"Douglas E. Engert" <deengert at> writes:

> OK, here is another contrived example similiar to Ken's,
> but with a few extra realms.
> Cross realm keys (- or |) are shared by these realms:
>   A - B
>   |   |
>   C - D - E
>       |   |
>       F - G - H
>           | 
>           I  
> Say C, F and I are all student run, where as A, B, D, E, G, H are official,
> with B and E for official biz only. So user in A wants to get to server H, 
> he takes offical path A, B, D, E, G, H

If a user is going to D or G, is that "official biz" or not?  How do
you define "official biz" when talking about KDC transits?

> If user in A is going to I, he takes student path: A, C, D, F, G, I
> How would you handle this with recursive capaths? 

In this (admittedly degenerate) case, you don't..  You need to
explicitly label the paths.  However in a more general case you could
use recursive capaths.

For example, if 'C' didn't exist, then you could just say:

D = B
E = D
H = E G
F = D
I = F G

I.e., you know that you need to transit through B to get to D, so you
don't need to re-specify that binding for every future path.  However
the places where you DO need to specify a path you can still do so
(e.g. to get to H you need to transmit via E, but to get to I you need
to transit via F).

> (When the DCE people where looking at this problem, they talked in terms 
> of going up the realm tree then across then down, if that helps at all 
> in how to handle the problem.) 

Uh, IIRC MIT-Kerberos has always supported this...  But nobody ever
ran an "EDU", "ORG", or "COM" domain :)


       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL:    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the krbdev mailing list