Adam: I have to disagree with you. There are models for Kerberos use in the P2P space in which every machine is its own realm. These models work quite well provided there is a method by which the key exchange between realms can take place without manual administrator intervention when it is permissible by policy.
The Public Key Initial Authentication mechanism can also be used in a model in which a client that wants to obtain an identity in a realm would generate a self-signed certificate and use some currently undefined registration protocol to establish an identity in that realm. Granted these models are currently not distributed such that you could download an implementation from MIT or KTH but that is because there has not been appropriate demand for such functionality and the current Kerberos implementors do not have the resources to develop and test functionality that is not of immediate use to current large scale users. However, this functionality is on the drawing board for future IETF standardization and implementation provided the necessary resources can be acquired to complete the work. In any case, this is not the biggest impediment to OpenAFS adoption. If you can obtain a domain name and publish the appropriate records in a name server, then you can successfully deploy an AFS cell and Kerberos realm. You can then issue principal names in your realm for access to your cell according to any policy that you wish. If you want to allow random people to access your cell, then you can setup a web front end to kadmin to allow random people to obtain a principal name. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature