Realm lookups again

Henry B. Hotz hotz at
Wed Oct 1 21:44:25 EDT 2008

On Oct 1, 2008, at 3:37 PM, krbdev-request at wrote:

> Date: Wed, 01 Oct 2008 18:14:21 -0400
> From: Jeffrey Hutzelman <jhutz at>
> Subject: Re: Realm lookups again
> To: Nicolas Williams <Nicolas.Williams at>, ghudson at
> Cc: krbdev at, jhutz at
> Message-ID: <A8CA43248B26022FC02073C7 at>
> Content-Type: text/plain; charset=us-ascii; format=flowed
> --On Wednesday, October 01, 2008 03:28:03 PM -0500 Nicolas Williams
> <Nicolas.Williams at> wrote:
>> It's a pretty good bet that sub-domain/sub-realm relationships imply
>> that that the child domain/realm trusts the parent not to attack it
>> willfully.  "Willfully" is a key word there; the parent might be
>> compromised and forced to attack the child.
> I'm not sure this is true.  It's entirely possible that a large  
> enterprise
> has a smaller core of trusted services which live in a separate  
> realm, not
> operated by the same people who operate the top-level realm, and  
> which does
> not trust the top-level realm.  Think of a security group within a  
> large
> company, or a large legal or financial firm with a small group that  
> lives
> behind a Chinese wall, or a government contractor with a group that  
> does
> classified work.
> I'm nervous about making the assumption that organizational structure
> implies trust relationships.  It is very common to create smaller
> organizational units which are either unusually trusted or unusually
> distrusted compared to the rest of the organization.
> -- Jeff

Aren't we running into the issue of what "trust" means?  Just because  
you "trust" another organization enough to exchange cryptographic  
keys, doesn't mean you "trust" their people to access all of your  
services.  In theory I might someday get a fully-authenticated  
connection from osama at AL-QAEDA.INT via some "trust" between NASA, the  
State Department, and a covert arm of the CIA.  I've got a pretty good  
idea what I do with that connection too.  ;-)

More specifically I don't think such a connection should be regarded  
as an "attack", at least not by default.  Rejecting it, post- 
authentication, is just business as usual.

What we're talking about here are what are appropriate heuristics for  
what "trust" relationships to look for.  While a security group  
probably doesn't want to "trust" it's parent, it makes perfect sense  
for the code to *look* for such a "trust".  Maybe it's an outreach  
group, not a security group, for instance.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list