Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS

Rick van Rein <rick@openfortress.nl> Wed, 16 September 2015 06:15 UTC

Message-ID: <55F908DB.4070907@openfortress.nl>
Date: Wed, 16 Sep 2015 08:14:51 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Nico Williams <nico@cryptonector.com>
References: <55F686EA.30206@openfortress.nl> <55F6EA7C.8070608@mit.edu> <20150914161100.GC13294@localhost> <55F6F843.2070609@openfortress.nl> <20150914170757.GC13284@localhost> <55F72B14.8030409@openfortress.nl> <55F7C40F.9000509@openfortress.nl> <55F86534.50109@mit.edu> <20150915185700.GI13294@localhost>
In-Reply-To: <20150915185700.GI13294@localhost>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/g1GmCQGQZTf-CMTKoUXq9cB5atw>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] Finding Kerberos Realm Descriptors in secure DNS
Precedence: list

Hi,

> I believe it could be done, and certainly LDAP and other things add
> pressure to implement async evented KDCs, so that adding DNS queries
> into the mix wouldn't be a big deal, but I suspect implementors are not
> ready to bite that bullet.
>
> Would this proposal (or variants discussed) really solve a _pressing_
> problem?  Or a problem we believe will be pressing?

Realm crossover outside a fixed KDC set or federation needs KREALM or a variation on that theme; and could then be used to connect arbitrary domains using something like PKCROSS -- which is my hope and intention.

A KDC-side implementation of this mechanism would require DNS queries in the KDC.  It would be the place where an admin can manage this mechanism in a central place, without having to deal with various clients in various contexts.

-Rick

[kitten] Finding Kerberos Realm Descriptors in se… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Greg Hudson
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Martin Rex
Re: [kitten] Finding Kerberos Realm Descriptors i… Watson Ladd
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Viktor Dukhovni
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams
Re: [kitten] Finding Kerberos Realm Descriptors i… Rick van Rein
Re: [kitten] Finding Kerberos Realm Descriptors i… Nico Williams