Initial Auth Realm Fall-back
Henry B. Hotz
hotz at jpl.nasa.gov
Mon Aug 19 20:12:57 EDT 2013
On Aug 19, 2013, at 1:44 PM, Russ Allbery <rra at stanford.edu> wrote:
> "Henry B. Hotz" <hotz at jpl.nasa.gov> writes:
>
>> For the specific case of all the realms satisfying the NIST 800-63
>> constraints on cross-realm relationships I think it's OK. (From memory:
>> that's all realms under the same administrative control, and all
>> usernames synchronized, but don't hold me to it.)
>
> If you have cross-realm, it's not at all clear that you would need this.
> I expect it to be the most useful for client-side pseudo-merging of
> multiple realms where you *don't* have cross-realm.
It's actually a bit circular, since in those circumstances (800-63 constraints + desire for merging) you probably don't have any of the usual obstacles to creating cross-realm trusts. ;-)
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list