Auditing Feature in Kerberos
greg@enjellic.com
greg at enjellic.com
Fri Mar 24 05:36:39 EST 2006
On Mar 23, 10:50pm, Jeffrey Altman wrote:
} Subject: Re: Auditing Feature in Kerberos
> greg at enjellic.com wrote:
>
> > It may be but it does fail a direct correllation requirement. If the
> > IP address is implemented in the payload the ad_data strategy also
> > allows pinning the audit trail to the KDC which issued the ticket.
> >
> > It all comes down to whether or not it is sufficient to answer the
> > audit question with 'we think it might be' or 'it is'.
> >
> > I have found that people concerned with audit trails can be
> > surprisingly pedantic in their assurance requirements.
> >
> > Greg
> Which is why I recommended the items I suggested a couple of days
> ago including logging hashes of the tickets that are issued and
> received as part of the transactions. I don't think we need a new
> identifier.
Its certainly your party.
The hashing approach would still seem to be problematic in the context
of a multi-KDC implementation.
In the near future any relevant Kerberos implementations are going to
be doing ad_data payloading. In that scenario explicit correlation is
free.
> Jeffrey Altman
Greg
}-- End of excerpt from Jeffrey Altman
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-1686
FAX: 701-281-3949 EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"Forget committees. New, noble, world changing ideas come from one
person working alone."
-- Tina Etzell's unknown quote book.
More information about the krbdev
mailing list