Realm lookups again

Jeffrey Hutzelman jhutz at
Wed Oct 1 18:14:21 EDT 2008

--On Wednesday, October 01, 2008 03:28:03 PM -0500 Nicolas Williams 
<Nicolas.Williams at> wrote:

> It's a pretty good bet that sub-domain/sub-realm relationships imply
> that that the child domain/realm trusts the parent not to attack it
> willfully.  "Willfully" is a key word there; the parent might be
> compromised and forced to attack the child.

I'm not sure this is true.  It's entirely possible that a large enterprise 
has a smaller core of trusted services which live in a separate realm, not 
operated by the same people who operate the top-level realm, and which does 
not trust the top-level realm.  Think of a security group within a large 
company, or a large legal or financial firm with a small group that lives 
behind a Chinese wall, or a government contractor with a group that does 
classified work.

I'm nervous about making the assumption that organizational structure 
implies trust relationships.  It is very common to create smaller 
organizational units which are either unusually trusted or unusually 
distrusted compared to the rest of the organization.

-- Jeff

More information about the krbdev mailing list