Realm lookups again
jhutz at cmu.edu
Wed Oct 1 23:32:16 EDT 2008
--On Wednesday, October 01, 2008 06:44:25 PM -0700 "Henry B. Hotz"
<hotz at jpl.nasa.gov> wrote:
> On Oct 1, 2008, at 3:37 PM, krbdev-request at mit.edu wrote:
>> Date: Wed, 01 Oct 2008 18:14:21 -0400
>> From: Jeffrey Hutzelman <jhutz at cmu.edu>
>> Subject: Re: Realm lookups again
>> To: Nicolas Williams <Nicolas.Williams at sun.com>, ghudson at mit.edu
>> Cc: krbdev at mit.edu, jhutz at cmu.edu
>> Message-ID: <A8CA43248B26022FC02073C7 at atlantis.pc.cs.cmu.edu>
>> Content-Type: text/plain; charset=us-ascii; format=flowed
>> --On Wednesday, October 01, 2008 03:28:03 PM -0500 Nicolas Williams
>> <Nicolas.Williams at sun.com> wrote:
>>> It's a pretty good bet that sub-domain/sub-realm relationships imply
>>> that that the child domain/realm trusts the parent not to attack it
>>> willfully. "Willfully" is a key word there; the parent might be
>>> compromised and forced to attack the child.
>> I'm not sure this is true. It's entirely possible that a large
>> has a smaller core of trusted services which live in a separate
>> realm, not
>> operated by the same people who operate the top-level realm, and
>> which does
>> not trust the top-level realm. Think of a security group within a
>> company, or a large legal or financial firm with a small group that
>> behind a Chinese wall, or a government contractor with a group that
>> classified work.
>> I'm nervous about making the assumption that organizational structure
>> implies trust relationships. It is very common to create smaller
>> organizational units which are either unusually trusted or unusually
>> distrusted compared to the rest of the organization.
>> -- Jeff
> Aren't we running into the issue of what "trust" means? Just because
> you "trust" another organization enough to exchange cryptographic
> keys, doesn't mean you "trust" their people to access all of your
That is true, which is why I hate the term "cross-realm trust".
But no, in this case we're being very specific; Nico said "the child
domain/realm trusts the parent not to attack it willfully". And one of the
attacks we're talking about is the parent attempting to impersonate one of
the child realm's services by causing domain-to-realm lookups to return
It's possible that, given two heirarchically-related realms, the outer
realm can be trusted not to attempt to impersonate services in the inner
realm in this way. However, it's also possible that the outer realm cannot
be trusted in this way, in which case assuming that it could would leave
one vulnerable. It seems to me that "secure by default" demands that such
an assumption not be made without explicit policy to the contrary.
More information about the krbdev