Re: alternative to user-to-user Kerberos in KINK

[Derek Atkins <warlord@xxxxxxx>]

Jan Vilhuber <vilhuber@xxxxxxxxx> writes:

> I guess that's one way. The other is to never use u-u, and force everyone to
> be a principal in the KDC. Not being 100% kerberos-expert, this appeals to me
> more, especially in light of the fact that a pkinit-enrollment may be usefull
> in other protocols/occasions (I'm guessing).

The problem is that this wont work for, a user being the responder.  A
user would be enrolled in the KDC, but they have a password, not a
keytab.  So, the system would only have a TGT credential to work with
(although a foreign system would still be able to get a "valid"
service-key response from the KDC).

Perhaps we just don't care; or perhaps "users" can only be IPSec
initiators.

-derek

> jan
>  --
> Jan Vilhuber                                            vilhuber@xxxxxxxxx
> Cisco Systems, San Jose                                     (408) 527-0847

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
       warlord@xxxxxxx                        PGP key available