Hello, Simo Sorce wrote:
>> * Is this concealment of user names considered a good idea? > > It may be useful I now realise I didn’t state my purposes: * the ability of a remote service to configure access to roles/groups, and leave the assignment of individuals to roles/groups to the sender realm * privacy of authentication names towards remote realms that may be totally unknown * more control over return communication by using different names towards different remote parties >> * Is the idea of going through user/role with KDC-enforced policy good? > > I do not think the idea of changing principal names to be particularly > good. The path user@MYREALM -> user/group@MYREALM -> group@MYREALM is just one way of doing this, I suppose. It’d be a realm-internal implementation choice to do it this way. I would be interested to learn what you dislike about it? >> * Am I correct that there are no protocol elements for it yet? > > No, there is Authorization Data which you should use for this kind of > messaging. You can use the CAMMAC now to be able to assign roles in a > custom AD and have it transported from your TGT to service tickets w/o > further processing power spent at TGS time. Thanks, will study. >> * Are the ideas under (1) and (2) above worth considering? > > Probably not. (1) should be handle with additional Authorization Data > (2) probably using FAST into a pkinit anonymous channel. Thanks. -Rick P.S. I know this overlaps Kitten activity; I wanted to poll on this user-oriented list first. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos