Realm lookups again

Nicolas Williams Nicolas.Williams at
Wed Oct 1 18:39:13 EDT 2008

On Wed, Oct 01, 2008 at 05:21:34PM -0500, Nicolas Williams wrote:
> On Wed, Oct 01, 2008 at 06:14:21PM -0400, Jeffrey Hutzelman wrote:
> >                                 Think of a security group within a large 
> > company, or a large legal or financial firm with a small group that lives 
> > behind a Chinese wall, or a government contractor with a group that does 
> > classified work.
> I could see that, which is why I hedged what I wrote ("pretty good
> _bet_").

It's also worth pointing out that creating multiple realms for chinese
wall separation isn't necessarily a way to avoid having to trust an
untrustworthy realm.  With x-realm trusts then you still have one realm
dependent on the other's security, and without x-realm trusts you end up
having multiple user principals to keep synchronized, which make you
wonder why bother separating them.  You could have shortcut x-realm
trusts between sub-realms to avoid having to trust a parent realm, but
you still end up having to trust some realms (and why bother with a
parent realm if it's effectively unused?).

More information about the krbdev mailing list