Realm lookups again
Nicolas Williams
Nicolas.Williams at sun.com
Wed Oct 1 18:21:34 EDT 2008
On Wed, Oct 01, 2008 at 06:14:21PM -0400, Jeffrey Hutzelman wrote:
> --On Wednesday, October 01, 2008 03:28:03 PM -0500 Nicolas Williams
> <Nicolas.Williams at sun.com> wrote:
>
> >It's a pretty good bet that sub-domain/sub-realm relationships imply
> >that that the child domain/realm trusts the parent not to attack it
> >willfully. "Willfully" is a key word there; the parent might be
> >compromised and forced to attack the child.
>
> I'm not sure this is true. It's entirely possible that a large enterprise
I didn't say it was certainly true. As I said, I think it'd be right to
default the algorithm to use only the host's domain, not any of its
parents.
> has a smaller core of trusted services which live in a separate realm, not
> operated by the same people who operate the top-level realm, and which does
> not trust the top-level realm. Think of a security group within a large
> company, or a large legal or financial firm with a small group that lives
> behind a Chinese wall, or a government contractor with a group that does
> classified work.
I could see that, which is why I hedged what I wrote ("pretty good
_bet_").
> I'm nervous about making the assumption that organizational structure
> implies trust relationships. It is very common to create smaller
> organizational units which are either unusually trusted or unusually
> distrusted compared to the rest of the organization.
I'm not arguing about what the default should be. Just that there
should be a way to get a host2realm() that: a) is simple, b) doesn't
require KDC-side configuration of such mappings, c) doesn't require
client-side configuration of them either.
More information about the krbdev
mailing list