Kerberos is widely used for authentication within organisations. It
is not, however, commonly used for authentication between domains or
realms ("cross-realm operation"). Abfab is a new architecture, based
on the AAA framework, that provides a mechanism for federating
authentication between realms.
AAA protocols are already widely used for federating authentication
for network access scenarios today. It has been proposed that Abfab
could be used to provide a mechanism yielding cross-realm
functionality for Kerberos. This document discusses two alternative
models with the aim of informing and facilitating discussion.