Skip to main content

XTGSP, the Inter-TGS protocol for cross-realm operations in Kerberos.
draft-zrelli-krb-xtgsp-01

Document Type Expired Internet-Draft (individual)
Expired & archived
Author Saber Zrelli
Last updated 2007-03-05
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

Abstract

Cross-realm operations in Kerberos allow users to access services offered by foreign realms. The cross-realm operations are based on inter-realm trust built using shared symmetric keys (aka. inter-realm keys) between the KDCs of the realms offering cross-realm services. The current cross-realm authentication model may be the origin of performance, scalability and security issues. This documents provides a brief overview of these issues and introduces a new cross- realm model based on PKINIT. The new model called XTGSP, defines a protocol that allows a client to obtain a service ticket, for a service offered by a foreign realm, in a single round trip. The protocol specifies an exchange between Kerberos KDCs that enables a local KDC to build a TGS-REP message for a service that is registered in a remote realm. The XTGSP exchange is secured using inter-realm keys maintained using the the PKINIT extension.

Authors

Saber Zrelli

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)