On Thursday, December 29, 2005 11:27:57 PM -0800 Adam Megacz <[EMAIL PROTECTED]> wrote:
I really think it's more of a political issue than anything else; I doubt they'd ever accept anything involving public key crypto as an "official, standard, core" part of Kerberos.
I'm quite sure you're wrong; there is no political barrier to adding features to Kerberos which make use of public key crypto. At least, I haven't noticed any during my time in the IETF.
PKINIT is pretty much complete; once I am convinced that no further work is required on the one remaining issue, I will ask the responsible Area Director to take it to the IESG with a request to publish as a proposed standard. See draft-ietf-cat-kerberos-pk-init-31.txt.
With the current PKINIT spec, it is certainly possible to have a KDC which issues tickets to clients on the basis of certificates signed by a CA it trusts, without requiring prior registration of those clients with the KDC. Of course I'd expect any real-life realm administrator to be rather conservative about what CA's he trusts, and I can't predict what sort of principal names such a realm might choose to use in real life.
I'm willing to contribute substantial developer-hours to realizing the goal of easy, administrator-intervention-free cross-realm and non-realm authentication.
Cross-realm authentication is always going to be at the discretion of the realm administrators involved; that's a policy issue, not a technical one. However, it is possible to build a public-key-based mechanism which would make it possible to perform cross-realm authentication without requiring manual intervention by the realm admins each time. This is what PKCROSS is all about, and while we've turned our attention away from that for a while to get other things done (PKINIT, updates to the core Kerberos spec, etc), I'm sure there are people who will be interested in picking up that work once enough cycles become available. Take a look at draft-ietf-cat-kerberos-pk-cross, if you can find a copy (try the archive at watersprings.org).
If you're interested in participating in this work, you should do exactly what Jeff described -- become active in the IETF Kerberos Working Group. Subscribe to the ietf-krb-wg@anl.gov mailing list (via [EMAIL PROTECTED]). Contribute to the ongoing work. Volunteer to edit a draft.
-- Jeff _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
