16 Oct
2005
16 Oct
'05
6:24 p.m.
On Oct 15, 2005, at 18:56, Cowles, Robert D. wrote:
Note that with Kerberos cross-realm authentication, one realm is unable to issue credentials for the director of the other institute...
Isn't the kerberos realm included in the token, thereby providing the equivalent of the CA information?
All principal names include their realm. All service tickets are ultimately issued by the KDC of the realm of the service principal, but include the list of realms which may have been traversed between the client's realm and the server's.