Realm lookups again
Jeffrey Hutzelman
jhutz at cmu.edu
Wed Oct 1 18:14:21 EDT 2008
--On Wednesday, October 01, 2008 03:28:03 PM -0500 Nicolas Williams
<Nicolas.Williams at sun.com> wrote:
> It's a pretty good bet that sub-domain/sub-realm relationships imply
> that that the child domain/realm trusts the parent not to attack it
> willfully. "Willfully" is a key word there; the parent might be
> compromised and forced to attack the child.
I'm not sure this is true. It's entirely possible that a large enterprise
has a smaller core of trusted services which live in a separate realm, not
operated by the same people who operate the top-level realm, and which does
not trust the top-level realm. Think of a security group within a large
company, or a large legal or financial firm with a small group that lives
behind a Chinese wall, or a government contractor with a group that does
classified work.
I'm nervous about making the assumption that organizational structure
implies trust relationships. It is very common to create smaller
organizational units which are either unusually trusted or unusually
distrusted compared to the rest of the organization.
-- Jeff
More information about the krbdev
mailing list