Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5466
| Path | csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail |
|---|---|
| From | Geoffrey Thorpe <geoff@geoffthorpe.net> |
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: interested in discussing some Kerberos improvements |
| Date | Mon, 30 Mar 2026 17:41:23 -0400 |
| Organization | TNet Consulting |
| Lines | 68 |
| Message-ID | <mailman.2.1774906891.1813.kerberos@mit.edu> (permalink) |
| References | <CAH2n15zygW0KP4p5m+5JD40Js_QFbG-t45jGhHtABsZoDXSnCw@mail.gmail.com> <acWS6N8cVWmtHZ4g@ubby> <990e6964-c1f6-4fe3-adc9-4c3f9109a74b@geoffthorpe.net> |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=UTF-8; format=flowed |
| Content-Transfer-Encoding | 7bit |
| Injection-Info | tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="14812"; mail-complaints-to="newsmaster@tnetconsulting.net" |
| User-Agent | Mozilla Thunderbird |
| Cc | kerberos@mit.edu |
| To | Nico Williams <nico@cryptonector.com> |
| DKIM-Filter | OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid) |
| Authentication-Results | mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=IA2B/At8; dkim=pass (1024-bit key, unprotected) header.d=geoffthorpe.net header.i=@geoffthorpe.net header.a=rsa-sha256 header.s=myprefix header.b=OZFQ23lQ |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=SfPTvpODQ5nJAKAxfPNDpByV+Hlhrt/vkXGyogMq4xLj1Ba4GeKiroFBmB/f6zjnyGL8YQnM84FCieeKUpXqWi2li/iHADQPdtYW05KJTzeZoiuwTg7wdTLsu7KDA0SLVZMj3jpkTLpMlr02i6KVs5P66Fg036wrOonM/SDNhGT09eNkNu3BNJzbClcCKsF8qwiVQFvvTuDZIGr1IRx+U8j9jm2VP4RpS3lLPWgLShYDxPsug1X53P/SZC8rcv+l/qkwp99p4nCF6Gc3nkGpLM4bbPsK+HWoGD8PFCAvn88bfgqXtmicvswla7WRbXBfuSGXq83a7875JzMVpc6k4g== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PjBRZr7D0c3IY5LA6cQyzkNNJ+6TQTN+WR9poVxi4s8=; b=HWFv1fUwenhD9SjvGElWa7k0WouwRWofx3Kh05ShAEGXWPfdWRSsjZOLt7IHb+zVD6vYoMmhLX78WaN7hri/FGiouC481Q6ROSiX20C/ORRMmfK/htH9p2Kmz5HvTQnIwZGpiGPtSyEDcdxAI3Fj0B+NfUlYcCaD4AqmHMchoAbu6OKion/7D3CGM75jEcJtbsrM2a5OHjSDsMxqUGNkW9aDI6twspxKs23ewHsU2GQfP0yyAVJPy3M3124JuGWYOIKSbpnT6GGZndIAR1v+keQ0QN6VVc/8m9g0V+JURKg3MOxWE8wJQB3fwqcFMw3z9S1le7pEmFKluPPaWHh6nA== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass (sender ip is 2607:f8b0:4864:20::72d) smtp.rcpttodomain=mit.edu smtp.mailfrom=qclibre.com; dmarc=bestguesspass action=none header.from=geoffthorpe.net; dkim=pass (signature was verified) header.d=geoffthorpe.net; arc=none (0) |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PjBRZr7D0c3IY5LA6cQyzkNNJ+6TQTN+WR9poVxi4s8=; b=IA2B/At83Fdr67Dv1XHyXPEE6Ywabr7ooYgbvevt+mSA9Ivyot/BjwDMTWT0LKu/sS48AiyULIBQuCK0kr6AwFH7jcZd1tgmu3T6X0Ldwp4LkEpu5JkMdwTcd1cSLpLwLkyRBv0sbnxTxP0ebewaEab6oB0HvYVIIGP+RQokks0= |
| Authentication-Results | spf=pass (sender IP is 2607:f8b0:4864:20::72d) smtp.mailfrom=qclibre.com; dkim=pass (signature was verified) header.d=geoffthorpe.net;dmarc=bestguesspass action=none header.from=geoffthorpe.net; |
| Received-SPF | Pass (protection.outlook.com: domain of qclibre.com designates 2607:f8b0:4864:20::72d as permitted sender) receiver=protection.outlook.com; client-ip=2607:f8b0:4864:20::72d; helo=mail-qk1-x72d.google.com; pr=C |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=geoffthorpe.net; s=myprefix; t=1774906884; x=1775511684; darn=mit.edu; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=PjBRZr7D0c3IY5LA6cQyzkNNJ+6TQTN+WR9poVxi4s8=; b=OZFQ23lQgtj7hYjY1UEV802/6sRrjq/sxNX4iqlR5I63sV+SfoNzTbriAn0kKQF6cO UTYydyT74MHlYfh4aCDRoqUyEd3nr1SlmpzB2jafc1i0JggSrn4J5+aw5/vpJSXUD/dE FebWJao/uzzhLwPsJO6QwnvQUA/FjjPWOILEA= |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774906884; x=1775511684; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PjBRZr7D0c3IY5LA6cQyzkNNJ+6TQTN+WR9poVxi4s8=; b=iVrxWDNAueV/PELEAhdoMSNERpY6bR14v6MUknBj714I+bOYvrsHhvjunS8FQa2nlp jKN7rSgNKD8++bN5e+d1M5Tsm/1AsZrQbt0xriCe/4SwBr6cxMCGza5zYqW/tzHWFuYj 1P+BjVJh69RzWSAFRrWYxx9ZJTNnsamDeiWG08Xmco3EI+XsbVaFfv3KuSobPxy5dmlH F44eRCajj3xo1mszhHPSinCu1QjHRU6IDWTGYjOwt5bQ/4f1EJA389yIlUi7CeEf6TJo RiiHF3gXMckay6SZSW1r54kz4ErOpgADz2Q3ZL+Vgsy1QtswHe7DbhU79tIekWwGg1Az iRRw== |
| X-Gm-Message-State | AOJu0YxtyMGgn3wxLukGRhK/uSZLaLsO4xMfvRrGv5U5rykByukEHS3F OI6+pHfAhIgjl6un2QiOYp6ZbgD3R+SRKWvONAYSwU12pIVGFzqgzb412bdeVS9N2FE= |
| X-Gm-Gg | ATEYQzxJWMQsgk5aUh00QlbL7XgdzJfN0HcwXDYtUOnxMVLISh3KxObkVvmCLjjI/Tx UUb7p08xwBmmBQlwp4aRM7qAkR8LIEZPPHE4guj076XywYa1Gl21BZEo4bwfUwv0RwBd8jJ/zMm cQ1b06QeazLWc2Catcxth+VTW5uarmusQIaN/aiDbyKp6PH/LfJG3QH9ZezhdsRXFecOH49vdTZ bFcO9TkLj/hk8royPpefG+M123RAkNji0RoCCtzM2eCZGF9L63rqArcIC9EBIr9Tm2S2fuDjNjF yNrMQY2cVWlD+aUBBFSPxCLYa+taLB4AL0SHxLCzJC19s7ObImsSp9U1wxm9+1IGAXNzk7VPUlr aTVOYVCRC4ZWw7Dirqq/vTf1gJ/CG8s91cAnRvuoci1IA76pzkk7LZ7gQLTzNAOgulJuGLUO8AZ 4Wom07ahGcm+xBzFTU6V0i7E9rYIuJ9GButES4CKtPR1eaZH9Y61FuSSny86LU7R+0Z/8= |
| X-Received | by 2002:a05:620a:3727:b0:8cf:e933:9e88 with SMTP id af79cd13be357-8d01c7fb32fmr1946418385a.61.1774906884341; Mon, 30 Mar 2026 14:41:24 -0700 (PDT) |
| Content-Language | en-US |
| In-Reply-To | <acWS6N8cVWmtHZ4g@ubby> |
| X-EOPAttributedMessage | 0 |
| X-EOPTenantAttributedMessage | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | CY4PEPF0000EDD6:EE_|PH0PR01MB7334:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | 10746962-1566-47cf-da74-08de8ea517f7 |
| X-LD-Processed | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr |
| X-MS-Exchange-AtpMessageProperties | SA |
| X-MS-Exchange-SenderADCheck | 0 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam | BCL:0; ARA:13230040|61400799027|9140799003|6059299003|43022699015|786006|48200799018|376014|55112099003|13003099007|56012099003|22082099003|16102099003|19002099003|18002099003; |
| X-Microsoft-Antispam-Message-Info | KeHZCHoC6aZDjz4wvGe4ix0OHGdWLSPNrEDDh5eeqn/AqOP5SjExBClRC3D0/o4FJqGy78s+GaKeDiSfbiEsPWZ9cS6XkXBO+2SlnXZ5nKc4ZJf+EP8b1EJ2H82P3lmzeHiRzllaLv9ivvIR/a5Omx27wi9/05mmgUP2Xu1h1xr7lZ9WSLBlMtMLc6cJM3LChPXdnysXz4VApca/VOVRbwSOpSmP3wHJaiHCZIBWmUBuiE+li8L80mtAKPsad+qj6wmvsS637KkOV+Rkt+XViaID2TMkKaSEvKlAK4KFWAEMNPXbYVOHXaOVf310TAbPdFulILmhGYYW8cCaZmpyc5JcEdVnU7DM4Hbd0og4TF0zgU7iTlSTRTbmua/yL9izRuYdsT9EQUlNso+0T11/A+K3NCHn0my0KSQAxcbyjas/T6S8vhh5hJ+sSivsSUAHF+avy+YA3oYH2S/TTxDs3YFcLLULQFHPJcRi+FkOKDmIV117ARMTTJnOjVf+ynFWcY8wS62fzeT6rS3FpYfYKq4+/M/XjNH7RG4gJgLm9Rn8/K9OqUo4ytL6wVk7SaXvJR1hcq9SpWgiyU7rXZVOhJK9Yl3jT07WE98mymNJ2sG9GybBGgSbXoc3G2yoTxYMlULMEDXdH/UKAW7qiGNRIGE73i6JQk9w/GfhluyXxsJ9CWx5WviU1orPlOdBxFk5rPz6cM6rCheV0e3EEya4VaxYgfgINZbFFQgM81utjZsEyzWqGDiJsrG+FzL+j5EgY+X8gbloN5q8FPbJajTXCkLdHOroUUBokcTroCqO9pjzHe0ob48i0p+pnPYzqGQ/BCFSKpXZzeG8CSJEnAj5CM9nhRfvgAtFoCEVdGqCxsOTMfXemhYoYMSfI3RnabJX/0ckialDLKennBO1d7+JaDUgbPX2v0ePCZw96N1qZn87UCOIrfuJjX61nYwa6iuTSP1Wkwt8jPlHQOaEnf4BsBliupnDgKnt7LLrAMzDQihGl/A3g85BqbgZWkD9JT8Klarj7FW9kC16ry9f3g+eehHzxQS/1xkwMhsof/mH8UCynC0nTK0jbRTJ7kI6uzjQSJHKNQmcRZlC/cn9fytn9oIboyzoyiuSoo4Y8tWyXOy/rUzQ1mSvb6jR+FMqbGn/pUNwLcTjNV26gCJb9MwAVNGvR6O6qPnFIw0jbUtNWGLHc+Tb50u1zk7yspCPMcTnsrWCVxL8xT3dK5x6OOh5tjP07ykuT7Gl1KknuE4KXX33CYxN4y9+T45YAvdmwmllyhDhW9MrDs/hBM9sBsy13Q== |
| X-Forefront-Antispam-Report | CIP:2607:f8b0:4864:20::72d; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail-qk1-x72d.google.com; PTR:mail-qk1-x72d.google.com; CAT:NONE; SFS:(13230040)(61400799027)(9140799003)(6059299003)(43022699015)(786006)(48200799018)(376014)(55112099003)(13003099007)(56012099003)(22082099003)(16102099003)(19002099003)(18002099003); DIR:OUT; SFP:1102; |
| X-MS-Exchange-AntiSpam-MessageData-ChunkCount | 1 |
| X-MS-Exchange-AntiSpam-MessageData-0 | /qj9Vik9aH616gsene5ayv4MPPX6d0Mblt3LNVGsvSJKbP2c3N7lECQcNimbX+8L4ZydB4KBEgszcL8v7ZuMkUl7mi9SE20yNEyAQKBsWfca0Vm27KE3A9YTD+ddJgQESZxF0dxcWjxXGULJxKWiPNbNPs4e7Mm+J9EAi1aFEvD6XWD+7W842wUmDeRlhNObbDx1S8AfH4ARVxvWMKuEIsPfWtQHqJ6v8rXDCp2lrbe0q2EVH875bSeLHx8RRJdL71bTYemIVMa0lfkX62J28PAP0RI0ZXlI+SK9VUfPB2rG7ewSzuOYzm/4qPf3YinVgSOW8jy+7a+ngynx9EQJ/yA7RhCd+ymD6RjivKTRAjdgfdI2SsnemPr7gsQ+7aH3+ohVy6HDc4E0C5zebEZtcJo2Ck2Arb4g7WJ6/rxF7UtvN3/AORSh1ilpz8kKEwDh |
| X-ExternalRecipientOutboundConnectors | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-Auto-Response-Suppress | DR, OOF, AutoReply |
| X-OriginatorOrg | mitprod.onmicrosoft.com |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 30 Mar 2026 21:41:25.5428 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | 10746962-1566-47cf-da74-08de8ea517f7 |
| X-MS-Exchange-CrossTenant-Id | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-MS-Exchange-CrossTenant-AuthSource | CY4PEPF0000EDD6.namprd03.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | PH0PR01MB7334 |
| X-BeenThere | kerberos@mit.edu |
| X-Mailman-Version | 2.1.34 |
| Precedence | list |
| List-Id | The Kerberos Authentication System Mailing List <kerberos.mit.edu> |
| List-Unsubscribe | <https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe> |
| List-Archive | <http://mailman.mit.edu/pipermail/kerberos/> |
| List-Post | <mailto:kerberos@mit.edu> |
| List-Help | <mailto:kerberos-request@mit.edu?subject=help> |
| List-Subscribe | <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe> |
| X-Mailman-Original-Message-ID | <990e6964-c1f6-4fe3-adc9-4c3f9109a74b@geoffthorpe.net> |
| X-Mailman-Original-References | <CAH2n15zygW0KP4p5m+5JD40Js_QFbG-t45jGhHtABsZoDXSnCw@mail.gmail.com> <acWS6N8cVWmtHZ4g@ubby> |
| Xref | csiph.com comp.protocols.kerberos:5466 |
Show key headers only | View raw
Hey Nico, thanks for jumping in.
On 3/26/26 4:11 PM, Nico Williams wrote:
> On Fri, Mar 20, 2026 at 11:12:56PM -0400, Geoffrey Thorpe wrote:
>> I wasn't sure if this was more suited to the krbdev list, but I decided to
>> start here first. Please advise if this belongs elsewhere.
>
> krbdev is better, yes.
Right - I will reformulate my original post and send it to krbdev.
>
>> [...]
>> https://github.com/geoffthorpe/newhcp/blob/main/doc/stateless-kdc.md
>
> FYI KDCs are stateless by definition. What you meant is more like a KDC
> where there is no need to have a _writeable KDB/HDB_ because:
<snip>
Yeah I didn't mean stateless in the way you're interpreting it, I get
what you mean. It's only "stateless" in the sense that the typical
orchestration problem of managing a KDC, i.e. registering and
deregistering client and service principals in the KDC database, is
avoidable. There's some hand-waving involved (because you still have to
register the underlying namespace principal(s), any legacy principals
may have to be preserved, etc), but calling it "stateless" kinda gets
the point across more easily than "a mostly write-free KDC solution that
helps resolve traditional kerberos orchestration challenges by using PKI
as the source of truth for principals rather than maintaining all
identity in the KDC's own database".
>> Among the things that I'm currently depending on in heimdal that might be
>> different or missing in the MIT codebase are;
>> * "namespace principals" - [...]
>> * "synthetic principals" - [...]
>
> At the OpenSSL 2025 Conference I was told that one of the major
> contributors to MIT kerberos also wants these features in MIT Kerberos.
> In this age of LLMs you can probably contribute these yourself in no
> time flat!
If they (one of the contributors) wants to chat/collaborate, please put
them in touch!
>> * a persistent, PKI-based kinit - i.e. where an instance of kinit ("kinit
>> -C" in heimdal) will automatically renegotiate and update tickets over time
>> to respect the key-rotiation period, and will reread the x509v3 cred each
>> time (so that any updates to the local PKI cred also get picked up).
>
> I'm not sure what this is referring to. MIT Kerberos supports using
> PKINIT in kinit. Neither MIT nor Heimdal will automatically refresh
> user certificates though, but Heimdal does have kx509 and an HTTP-based
> online CA as well which can do that -- it's just Heimdal's kinit does
> not do what you're asking for.
Perhaps I didn't express it well. The feature I'm relying on is _not_
that kinit refreshes the x509v3 cred itself, but that it re-reads the
cert and key periodically from the FS rather than reading only once at
startup. I.e. the assumption is that the pkinit cert+key is going to be
refreshed "by other means" (in my case via HCP attestation, in other
cases it'll be whatever PKI tooling keeps creds up to date), so what I'm
relying on is that the kinit instance will consume those updates to the
cred over time (from the FS), without requiring a restart.
The heimdal "kinit -C" does seem to do this.
Cheers,
Geoff
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: interested in discussing some Kerberos improvements Geoffrey Thorpe <geoff@geoffthorpe.net> - 2026-03-30 17:41 -0400
csiph-web