XTGSP, the Inter-TGS protocol for cross-realm operations in Kerberos.
draft-zrelli-krb-xtgsp-01
Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
---|---|---|---|
Author | Saber Zrelli | ||
Last updated | 2007-03-05 | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
Cross-realm operations in Kerberos allow users to access services offered by foreign realms. The cross-realm operations are based on inter-realm trust built using shared symmetric keys (aka. inter-realm keys) between the KDCs of the realms offering cross-realm services. The current cross-realm authentication model may be the origin of performance, scalability and security issues. This documents provides a brief overview of these issues and introduces a new cross- realm model based on PKINIT. The new model called XTGSP, defines a protocol that allows a client to obtain a service ticket, for a service offered by a foreign realm, in a single round trip. The protocol specifies an exchange between Kerberos KDCs that enables a local KDC to build a TGS-REP message for a service that is registered in a remote realm. The XTGSP exchange is secured using inter-realm keys maintained using the the PKINIT extension.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)