On Sun, Aug 03, 2014 at 11:33:58AM -0700, Booker Bense wrote: > This whole conversation seems misguided to me. Kerberos is an > authentication system, not an authorization one. Access to a service > is an authorization issue. Since there is no universal authorization > scheme for kerberos applications, any workable revocation system will > have to build that first. That would be a very useful tool, but I'm > afraid it might be about 20 years too late.
This isn't about authorization. The thing being revoked is the principal and/or its extant tickets. Kerberos' design specifically obviates the need for a revocation system: use short-lived tickets and you're mostly set. That said, we've long ago stopped arguing about Kerberos as an authentication system, and its relevance to authorization. Kerberos is relevant even to the simplest authorization schemes just by dint of delivering the key to those schemes: the authenticated identity (principal name). Often Kerberos also carries authorization-specific attributes (e.g., PAC, CAMMAC). Either way Kerberos is orthogonal to authorization, but authentication is integral to authorization, therefore it's hard to separate the two. Incidentally, the rest of the world (e.g., SAML) long ago accepted that an attribute model of identity (and therefore authentication) is more important than the more traditional Kerberos model. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
