[kitten] Token Preauth for Kerberos
Zheng, Kai
kai.zheng at intel.com
Fri Jun 13 04:07:50 EDT 2014
Nathaniel,
Yes I like the idea and hopefully token-preauth mechanism can benefit from it. Thanks.
Regards,
Kai
-----Original Message-----
From: Nathaniel McCallum [mailto:npmccallum at redhat.com]
Sent: Wednesday, June 11, 2014 10:52 PM
To: Zheng, Kai
Cc: Greg Hudson; kitten at ietf.org; krbdev at mit.edu; Jiang, Weihua
Subject: Re: [kitten] Token Preauth for Kerberos
On Wed, 2014-06-11 at 08:15 +0000, Zheng, Kai wrote:
> Hi Greg,
>
> Thanks for your valuable feedback and suggestions!
>
> 1. Yes you're right I'm taking the OTP approach and use the FAST armor
> key as the reply key. As mentioned in the proposal we suggest PKINIT
> be deployed along with this mechanism, And client uses PKINIT
> anonymous to obtain the armor ticket. It doesn't provide mutual authentication since only KDC is authenticated to client with the configured certificate of KDC and client doesn't due to lacking of certificate as to avoid the deployment overhead in our solution. So protecting the token here in AS-REQ exchange mainly depends on the FAST tunnel and client should be careful about the armor ticket.
You may be interested in this proposal:
http://mailman.mit.edu/pipermail/krbdev/2014-May/011958.html
Nathaniel
More information about the krbdev
mailing list