Realm lookups again
Nicolas Williams
Nicolas.Williams at sun.com
Wed Oct 1 18:39:13 EDT 2008
On Wed, Oct 01, 2008 at 05:21:34PM -0500, Nicolas Williams wrote:
> On Wed, Oct 01, 2008 at 06:14:21PM -0400, Jeffrey Hutzelman wrote:
> > Think of a security group within a large
> > company, or a large legal or financial firm with a small group that lives
> > behind a Chinese wall, or a government contractor with a group that does
> > classified work.
>
> I could see that, which is why I hedged what I wrote ("pretty good
> _bet_").
It's also worth pointing out that creating multiple realms for chinese
wall separation isn't necessarily a way to avoid having to trust an
untrustworthy realm. With x-realm trusts then you still have one realm
dependent on the other's security, and without x-realm trusts you end up
having multiple user principals to keep synchronized, which make you
wonder why bother separating them. You could have shortcut x-realm
trusts between sub-realms to avoid having to trust a parent realm, but
you still end up having to trust some realms (and why bother with a
parent realm if it's effectively unused?).
More information about the krbdev
mailing list