Adam Megacz <[EMAIL PROTECTED]> writes: > Now all we need is a widely-accepted, widely-adopted way to authenticate > users who are not in the kerberos database of the local cell, and do so > without administrator intervention (ie without adding a ridiculous N^2 > cross-realm entries). Ideally this would also include users who do not > have a kerberos identity in *any* cell/kdc, anywhere.
How do you do identity management for people who are unknown to everyone everywhere? I mean, I can write a trivial little system that does exactly what you say above. The technical issues aren't the hard part. You just accept any username, create a KDC entry for them, and give them an empty password. Tada, authenticated. You just don't know *who* you've authenticated, and that's the hard part. :) As soon as you have some way of identifying this person and managing identity for them, the problem reduces to figuring out how to either create a Kerberos entry for them or trust someone else's existing realm. Shibboleth is interesting in this regard. > There are a lot of competing solutions and partial-solutions out there > (gssklogd, kx509, pkinit), but I think widespread agreement will matter > most in the end. I can't speak to gssklogd, but kx509 and pkinit aren't solving this problem. Those are ways to authenticate someone *after* you've done the identity management part and have given them a certificate or signed one. That's the easy part. The hard part is the part that has to happen *before* that. Now, it may be that the delegation of trust is easier with a certificate-based authentication system rather than with traditional Kerberos, so I can understand why people are pursuing allowing authentication via certificate as part of a long-term solution. But you're just exchanging your problems for other problems -- in particular, the user now has this piece of magic data that they have to keep track of that your average user doesn't understand and isn't going to have with them when they use that web kiosk system in the airport. > There's no reason why AFS can't offer/support a PKI mechanism that is as > easy to use as the SSH keying mechanism. It's all just a matter of development time. :) But identity management is at least twice as hard as people think it is. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
