"Douglas E. Engert" <deengert at anl.gov> writes:
> OK, here is another contrived example similiar to Ken's,
> but with a few extra realms.
>
> Cross realm keys (- or |) are shared by these realms:
>
> A - B
> | |
> C - D - E
> | |
> F - G - H
> |
> I
>
>
> Say C, F and I are all student run, where as A, B, D, E, G, H are official,
> with B and E for official biz only. So user in A wants to get to server H,
> he takes offical path A, B, D, E, G, H
If a user is going to D or G, is that "official biz" or not? How do
you define "official biz" when talking about KDC transits?
> If user in A is going to I, he takes student path: A, C, D, F, G, I
>
> How would you handle this with recursive capaths?
In this (admittedly degenerate) case, you don't.. You need to
explicitly label the paths. However in a more general case you could
use recursive capaths.
For example, if 'C' didn't exist, then you could just say:
D = B
E = D
H = E G
F = D
I = F G
I.e., you know that you need to transit through B to get to D, so you
don't need to re-specify that binding for every future path. However
the places where you DO need to specify a path you can still do so
(e.g. to get to H you need to transmit via E, but to get to I you need
to transit via F).
> (When the DCE people where looking at this problem, they talked in terms
> of going up the realm tree then across then down, if that helps at all
> in how to handle the problem.)
Uh, IIRC MIT-Kerberos has always supported this... But nobody ever
ran an "EDU", "ORG", or "COM" domain :)
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu.ezproxyberklee.flo.org/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available