ietf
[Top] [All Lists]

Re: How US military base in Hawaii was compromised - Password sharing

2013-11-11 12:25:32
Yoav Nir wrote:

Fortunately, we have some really good mechanisms on the books that
permit delegation including OAUTH*, KeyNote(2704), SASL (I think) and
even going back to SPKI (rfc2693).  I know that there are more.

Supporting delegation is easy.

Supporting delegation in a way that ordinary people can understand
is very hard.

Kerberos originally contains a concept for "delegation of authority".
The only scenario how it seems to be used is in forwarding full
control (forwarding a TGT, rather than a tailored service ticket).

About a decade ago, a different scheme of "delegation" was invented
and is used with Kerberos today, called "Constrained Delegation"
with "Protocol Transition", where the sysadmin configures which
tickets a service is allowed to forge out of thin air at will
(which obviates the sysadmin to ask users for their passwords...).

-Martin