capaths questions

Douglas E. Engert deengert at
Mon May 17 16:48:53 EDT 2004

Derek Atkins wrote:
> "Douglas E. Engert" <deengert at> writes:
> > OK, here is another contrived example similiar to Ken's,
> > but with a few extra realms.
> >
> > Cross realm keys (- or |) are shared by these realms:
> >
> >   A - B
> >   |   |
> >   C - D - E
> >       |   |
> >       F - G - H
> >           |
> >           I
> >
> >
> > Say C, F and I are all student run, where as A, B, D, E, G, H are official,
> > with B and E for official biz only. So user in A wants to get to server H,
> > he takes offical path A, B, D, E, G, H
> If a user is going to D or G, is that "official biz" or not?  How do
> you define "official biz" when talking about KDC transits?

Its some "policy". Maybe B and E are some .EDU or .GOV institutions
that don't want to give out tickets to students. ANd maybe the students
don't trust B or E either!

> > If user in A is going to I, he takes student path: A, C, D, F, G, I
> >
> > How would you handle this with recursive capaths?
> In this (admittedly degenerate) case, you don't.. You need to
> explicitly label the paths. 

Well can anyone else come up with a not so contrived case?

> However in a more general case you could
> use recursive capaths.
> For example, if 'C' didn't exist, then you could just say:
> D = B
> E = D
> H = E G
> F = D
> I = F G
> I.e., you know that you need to transit through B to get to D, so you
> don't need to re-specify that binding for every future path.  However
> the places where you DO need to specify a path you can still do so
> (e.g. to get to H you need to transmit via E, but to get to I you need
> to transit via F).
> > (When the DCE people where looking at this problem, they talked in terms
> > of going up the realm tree then across then down, if that helps at all
> > in how to handle the problem.)
> Uh, IIRC MIT-Kerberos has always supported this...  But nobody ever
> ran an "EDU", "ORG", or "COM" domain :)

It still works, and because we at ANL.GOV wanted to use ES.NET to get to 
PNL.GOV without a .GOV or .NET we added the capaths code in 1994. Then in 1995, 
we said, this trying to find shortcuts, or recursively find the route, we said, 
simplify it (and to get MIT to accept it) we went with an explicate path, so 
as to avoid discussions like this, when there were very few people interested
in transited cross realm. 

Another set of questions to consider, is the maintenance costs of the
path database. As new realms are added, who has to know about them, 
and who has to update their tables? If the KDCs just issue cross realm
tickets and only the client and service or the service's KDC need to know.


> -derek
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL:    PP-ASEL-IA     N1NWH
>        warlord at MIT.EDU                        PGP key available


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list