Initial Auth Realm Fall-back

Henry B. Hotz hotz at
Mon Aug 19 20:12:57 EDT 2013

On Aug 19, 2013, at 1:44 PM, Russ Allbery <rra at> wrote:

> "Henry B. Hotz" <hotz at> writes:
>> For the specific case of all the realms satisfying the NIST 800-63
>> constraints on cross-realm relationships I think it's OK.  (From memory:
>> that's all realms under the same administrative control, and all
>> usernames synchronized, but don't hold me to it.)
> If you have cross-realm, it's not at all clear that you would need this.
> I expect it to be the most useful for client-side pseudo-merging of
> multiple realms where you *don't* have cross-realm.

It's actually a bit circular, since in those circumstances (800-63 constraints + desire for merging) you probably don't have any of the usual obstacles to creating cross-realm trusts.  ;-)

> -- 
> Russ Allbery (rra at             <>

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list