When I was writing my intro to crypto course, I covered Kerberos and then moved on to PKI, I was astonished at just how close the Kohnfelder model hews to Kerberos (maybe not so surprising, it was an MIT undergrad thesis).
But here is the thing, nobody should ever be ashamed of 're-inventing' systems of the past. If old techniques work, then use them.
Since adding PKI to Kerberos wasn't exactly successful, one is going to have to add PKI to Kerberos or Kerberos to PKI and the complexity of either is likely to be rather greater than designing something from scratch using the experience of the past 40 years.
There were dozens of AAA products on the market when I started work on SAML. And SAML is merely PKIX attribute certificates done right encoded in XML.
On Wed, Mar 3, 2021 at 1:38 PM Nico Williams <nico@xxxxxxxxxxxxxxxx> wrote:
On Wed, Mar 03, 2021 at 09:50:30AM -0800, Michael Thomas wrote:
> Or you just expect online and not worry about any of this.
No, sorry. I've explained. We'll have to disagree.
> I'm not even sure why you'd want to use certs in your use case. You're just
> reinventing Kerberos.
Because we have a principal for a user, and also a trusted thing that
wants to impersonate them (in order to run the user's batch jobs) but
without the user having to delegate a credential to them. So we issue
that thing a client certificate (that the user never sees) that can be
used to acquire a TGT on behalf of the user. This isn't remotely like
reinventing Kerberos.
Nico
--
