Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Matt Crawford
crawdad at fnal.gov
Sun Oct 16 13:24:47 CDT 2005
On Oct 15, 2005, at 18:56, Cowles, Robert D. wrote:
>> Note that with Kerberos cross-realm authentication, one realm
>> is unable to issue credentials for the director of the other
>> institute...
>
> Isn't the kerberos realm included in the token, thereby providing
> the equivalent of the CA information?
All principal names include their realm. All service tickets are
ultimately issued by the KDC of the realm of the service principal,
but include the list of realms which may have been traversed between
the client's realm and the server's.
More information about the caops-wg
mailing list