Path: utzoo!attcan!uunet!fernwood!apple!sun-barr!decwrl!shelby!HPLABS.HP.COM!sytek!salzman
From: sytek!salzman@HPLABS.HP.COM (Michael M. Salzman)
Newsgroups: comp.protocols.kerberos
Subject: kerberos application to OSI
Message-ID: <8912080934.AA11988@sytek.hls.hac.com>
Date: 8 Dec 89 09:34:34 GMT
Sender: daemon@shelby.Stanford.EDU
Organization: The Internet
Lines: 28


This is a two pronged question, prompted by recent user questions on 
the net.

Are efforts underway at Athena to integrate Kerberos mechanisms with
OSI protocol services?  Is this desirable?  Is it feasible?

The second aspect relates to the notion of a user space or environment
which is both authenticated and available network wide.  It would seem
useful to incorporate the authentication features of Kerberos within
a service such as X.500, so that users in one domain could access 
services in another domain, without prior arrangement.  Similarly, a user
could travel to another location and have his environment available
to him including authentication information.

I suspect that such activities would require another layer of
authentication between cooperating Directory Service Agents, since
they would have to trust the information provided by the remote
DSAs.  Such a trust establishment mechanism could also use Kerberos,
and would be administered by a higher level authority which would 
manage the inter DSA authentication.

I think that a marriage of kerberos and distributed directory/environment
services would be well received in the corporate world, and would
solve a real problem.


Mike Salzman