IETF Logo Mail Archive

[kitten] Tangent from: Checking the transited list . . .

"Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu> Mon, 21 August 2017 18:02 UTC

Return-Path: <hbhotz@oxy.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCFF0132403 for <kitten@ietfa.amsl.com>; Mon, 21 Aug 2017 11:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.535
X-Spam-Level:
X-Spam-Status: No, score=-3.535 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4ObPjGXEMHQ for <kitten@ietfa.amsl.com>; Mon, 21 Aug 2017 11:02:54 -0700 (PDT)
Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C04FC1323C9 for <kitten@ietf.org>; Mon, 21 Aug 2017 11:02:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 9CAE6298FA; Mon, 21 Aug 2017 18:02:47 +0000 (UTC)
Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo02-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMt6XIUOjMPI; Mon, 21 Aug 2017 18:02:47 +0000 (UTC)
Received: from macbook-air-2.lan (66-215-86-135.dhcp.psdn.ca.charter.com [66.215.86.135]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 90FCC29C09; Mon, 21 Aug 2017 18:02:38 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
In-Reply-To: <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu>
Date: Mon, 21 Aug 2017 11:02:37 -0700
Cc: Stefan Metzmacher <metze@samba.org>, heimdal-discuss@h5l.org, "krbdev@mit.edu Dev List" <krbdev@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>, Samba Technical <samba-technical@lists.samba.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F5A25DBF-476A-462D-A7F1-C901BFC069D6@oxy.edu>
References: <f33d5f68-1fdc-c1bc-c702-70b054880bb4@samba.org> <649fa812-aacf-80b6-1976-a719eca60fc2@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
X-Mailer: Apple Mail (2.2104)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/FfROCoQM6ZVT8Uje4PsIj91hUAY>
Subject: [kitten] Tangent from: Checking the transited list . . .
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Aug 2017 18:02:56 -0000

> On Aug 21, 2017, at 7:05 AM, Greg Hudson <ghudson@mit.edu> wrote:
> 
> I'm not sure about "any KDC in the trust chain trusts the next hop."
> RFC 4120 doesn't think about cross-realm relationships in terms of
> trust.  Simply having cross-realm keys with another realm doesn't
> necessarily imply that the other realm is trustworthy.

That’s always been a slippery distinction in practice. Trust depends on “local policy” which may be determined by many things that are orthogonal to what the crypto can actually provide. Unless you’re writing the code yourself, I would presume that anything with an exchanged set of keys is trusted for authentication. Authorization is, of course, outside the scope of Kerberos.

Personal email.  hbhotz@oxy.edu

v2.23.0 | Report a Bug | By Email