Hello, A few of you showed an interest in our work towards Realm Crossover between KDCs, protected by DNSSEC/DANE but otherwise suitable to serve the impromptu secure connections between previously unconnected realms. A page describing the proposed procedure has been posted on the k5wiki,
http://k5wiki.kerberos.org/wiki/Projects/Realm_Crossover_between_KDCs Although we're documenting options for clients that directly address a remote KDC, the central idea is to have KDCs connect, so they can cache realm crossover keys for as long as the keys may be used. Keys for bidirectional uses require two separate crossover leaps. If people like, I could release an early I-D describing what we are doing, but it really is premature/unfinished at the moment. For now it feels more like a design/coding project to me. Oriol (on Cc) is the one heroically implementing this work as his MSc thesis project, and thereby testing my spec work. I should be blamed when anything is wrong with the protocol design. The implementation uses a separate "KXOVER" daemon to which the KDC forwards certain traffic, so most of the KDC remains untouched and there should be no blocking of the KDC due to these setup actions. Cheers, Rick van Rein OpenFortress.nl / ARPA2.net ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos