Tangent from: [kitten] Checking the transited list . . .

Henry B (Hank) Hotz, CISSP hbhotz at oxy.edu
Mon Aug 21 14:02:37 EDT 2017

> On Aug 21, 2017, at 7:05 AM, Greg Hudson <ghudson at mit.edu> wrote:
> I'm not sure about "any KDC in the trust chain trusts the next hop."
> RFC 4120 doesn't think about cross-realm relationships in terms of
> trust.  Simply having cross-realm keys with another realm doesn't
> necessarily imply that the other realm is trustworthy.

That’s always been a slippery distinction in practice. Trust depends on “local policy” which may be determined by many things that are orthogonal to what the crypto can actually provide. Unless you’re writing the code yourself, I would presume that anything with an exchanged set of keys is trusted for authentication. Authorization is, of course, outside the scope of Kerberos.

Personal email.  hbhotz at oxy.edu

More information about the krbdev mailing list