Kerberos Reserved Names and Anonymity Support Larry Zhu IETF66 - - PowerPoint PPT Presentation

kerberos reserved names and anonymity support
SMART_READER_LITE
LIVE PREVIEW

Kerberos Reserved Names and Anonymity Support Larry Zhu IETF66 - - PowerPoint PPT Presentation

Mar 31, 2024 347 likes •429 views

Kerberos Reserved Names and Anonymity Support Larry Zhu IETF66 Microsoft Reserved Principal Names New name type KRB_NT_RESERVED TBA Name values Two or more components First component MUST be RESERVED Errors

slide-1
SLIDE 1

Kerberos Reserved Names and Anonymity Support

Larry Zhu IETF66 Microsoft

slide-2
SLIDE 2

Reserved Principal Names

  • New name type

– KRB_NT_RESERVED TBA

  • Name values

– Two or more components – First component MUST be “RESERVED”

  • Errors

– KRB_AP_ERR_RESERVED_PRINCIPAL_NAME_UNKNOWN TBA

slide-3
SLIDE 3

Reserved Kerberos Realms

  • RFC4120 realms

– domain: ATHENA.MIT.EDU – X500: C=US/O=OSF – other: NAMETYPE:rest/of.name=without- restrictions

  • Reserved Realm Names:

– RESERVED:realm-name

  • Errors

– KRB_AP_ERR_RESERVED_REALM_NAME_UNKNOWN TBA

slide-4
SLIDE 4

Naming of Anonymity

  • Anonymous principal name

– Name type: KRB_NT_RESERVED – Value: “RESERVED”, “ANONYMOUS”

  • Anonymous realm name

– Value: “RESERVED:ANONYMOUS”

  • Anonymous authentication path

– NO-TRANSITED-INFO TBA

slide-5
SLIDE 5

Issues for Anonymity Support

  • authtime reset, preventing association
  • Anonymity in cross-realm authentication

– Client realm can be the real realm name or the anonymous realm name – Rules for preserving authentication paths

  • Authorization data and client identity

– AD-IF-RELEVANT is critical

slide-6
SLIDE 6

GSS-API updates

  • Single string representation for

GSS_KRB5_NT_PRINCIPAL_NAME.

– “RESERVED/ANONYMOUS” – “RESERVED/ANONYMOUS@RESERVED:A NONYMOUS” – “RESERVED/ANONYMOUS@<realm name>”

  • GSS_C_NT_ANONYMOUS name type
slide-7
SLIDE 7

Questions