Message-ID:

A LISP programmer knows the value of everything, but the cost of nothing. -- Alan Perlis

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.30.1698355829.2263420.kerberos@mit.edu>

https://www.rocksolidbbs.com/devel/article-flat.php?id=406&group=comp.protocols.kerberos#406

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!newsfeed.endofthelinebbs.com!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: nico@cryptonector.com (Nico Williams)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Thu, 26 Oct 2023 16:29:59 -0500
Organization: TNet Consulting
Lines: 62
Message-ID: <mailman.30.1698355829.2263420.kerberos@mit.edu>
References: <202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
<ZTraV0714XV7hsxx@ubby21>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="23687"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=iKpf4Tl1;
dkim=pass (2048-bit key,
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=DtlVdvkw
Authentication-Results: mit.edu; dmarc=none (p=none dis=none)
header.from=cryptonector.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698355828; cv=pass;
b=2ml+NHxfWTwPKPMlSlN4xDhehXi/EiEO6MadWzjxsvNx3ZbSYVMSmzcYaXdoe6FipF6ypDRzC0MzpP5aLVx3NzRANcmjsGLp/zk7/kufmmcjS2m7vV/PbClNJLb+CGghftsQWiGaxV25CTR6MqdwXl/T6QnZhaG0+Ly/L39Iequm/5WBbOwS92KMUm7jfaaFHxkqgwMwUxGSoWQZMc2kkXevsCTdUa1FLfrj5ORN+p6drEQqD5M7XLSDadafoFyC+Ov5gJ+BNBRkhx1NP226L59jvUp7VjroSW1RTKegCsgxGv7g+a4aNMFvv7K9/pGqn8y75VHS5zqy5S0GHgesvw==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698355828;
c=relaxed/relaxed; bh=/HGpsW6Qxxm/VSVv+elZacD+1326R7IkG4h06D8PeFk=;
h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
b=FCZUq+JoWnFYtKmePK6sjbRBVtf9UCP23d/oet9c/GaTyO1ORfWB9PTFaWumE4t9iFh9RULvEF7rsV7/21hkVltEY0fY0qukQ4bTW07URRYIu1IOh24aqyrq4O6RvpZC2IFsiAcbaAJXuhQ+fa3OGH/7RGol4Xo78KnVPLx7Crwnip6XGg7etrswXHMeqrTK6GivWfByEunp/JJp7mlLkCFUXNlrxI5iz0Z7usU89f5FMpefDYMMuxV+3VIsGuqV9Zge0vIxC7afmvo0P7ybdRJ0VPiYClsJ5mT0Vu5ce4XgYPVvhfh/M7x1jukw4KC+YeVJb6X0ZlHu3DFZxSbt3g==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=iKpf4Tl1;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=DtlVdvkw
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=iKpf4Tl1;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=DtlVdvkw
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=k1SFEzJ19PN2FyEKN+mDKskv0hpJrbiQtaK4vXHe+jgVkkMh8px1dfmx+xtHsLIQcEHYRFMXczVRE2+q+vIYiekyvPJATV2vuZTytm0H+6/Rl6VROgPBeKwhA2eRK2jqAGLedJNAoyjvUg4H9+aI6rdJtxZ+EVKFY2zbaCpbLec9BUSb/6XDzpYAKMKId03sQKQPIWWyB5aqNZiC8LTtu67iOQ6CwsX0mscxHy/aJA0xXfdjtkeIMTfNyisCwpaPiFLHyLPdPczTtPlZ8ktW+AX+OSHzzP1WM0NXcQN3XaD49SfqdcDK1mbEKeJCIl2Ktnv8/YS7sFb4+mIDzzdLKg==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=/HGpsW6Qxxm/VSVv+elZacD+1326R7IkG4h06D8PeFk=;
b=Y0+qqdqpRoNZM2phiAbGq04ezzoSBLplwdYG9vi//VmQVbI16RyHzcXtGqKjT6ESjzGp1bYkTeonIa/DD7mx4JC5qbO/IvueJ9McInEcZ6nSHNgBIVHZ4qxVJuyOXkjPGstqYCHpZkF/Zveb8IWpiELIOCXSX85Ifs5sCxncCDc0Y9EdMEVPFThdXDGERMfdAblD1leS8HJwku6RRLvEnyccxqY2GmgYnyeWFqa5+8mTUQyu1bUmRp/Bw7e2Tho0lx3wRv0+8IZGUHcHZUEGkLUWeDZfvXJqhs14ZgyLRn4MwRcUpEB+lIBTEe9/SbB8pY7BupzfQbnLxbt6WlCI2w==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
23.83.209.24) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=/HGpsW6Qxxm/VSVv+elZacD+1326R7IkG4h06D8PeFk=;
b=iKpf4Tl1W6qE2qJ/HOImW/2KtpL1b5ARN0G2hpbEWkIR0WtwDjGZS5+/mSwOfSJTlEh98W1oRrsonEZmbQe0TE/SLpkfi1nbLN8Aacrmu3i4qZc9MK9PO7gZ6paKd5c2+u6GfpN2sY2HbvQhLQxrADF8SynBLcAJfsgrNUPzzW0=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=hMAH5KynipE2/5xE7htnPj4wczUJjOgub++Iof357IHRCJEhjtkavT7dvAGQ1JwNXsToR/gLFtX41a0UHChG1SmDkVWoY8NiWCYLrsFCgzBYuyJTa54WkCnfH+6MWzGUhzzlssR5VW7/S1NHk03H5rTPYDeEwfuX+uPLjtsSdCHlIgASia1TEqWzNy0BNI33dUxCGNCo5k78kKXVYICGd7H2U+vfagRW5dLy1Ah+fnAN9ejt2RzMXKO1c2vmVYPGWmT3CEOar5ybWMstJEoMu1U1/r2IYYpATPeXWpx8tz7r1nTisTEwCzB8XdOnTdY86Fz0I3Jaaqs+82s/36OWow==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=/HGpsW6Qxxm/VSVv+elZacD+1326R7IkG4h06D8PeFk=;
b=LJDbQlZkeTUR2yBZ18aex4rYAX3M0SwtYkc702zsPNBnWZ+C3IZJEQC6B/sKrNwcJpEJiuH+zNtybsmKcvViksB49cLDrhKfDT5Zlb6q3clFe8Sf4JBlHxisgXa5OsS6b1D7C/7XzXalHyYlw++NgS0mIg/TFqPallfA1UuwTLniqIVvftWQcaPXDO4Hr9zyxj3E7rDmyQxSA8Nuf+S+SqioctLKV9xQjQxp1G97yox/UMwAcFR3gstvmVZy4BdgWe97qdlGHEXm/UTV8lcdJ9UseDI7rsPMozeXrBxX4tBnlI2ASvCG+xGfRicdchwYSO9k3eEK4KVNtFnoZy9r1w==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
23.83.209.24) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
Authentication-Results: spf=pass (sender IP is 23.83.209.24)
smtp.mailfrom=cryptonector.com; dkim=pass (signature was verified)
header.d=cryptonector.com;dmarc=bestguesspass action=none
header.from=cryptonector.com;
Received-SPF: Pass (protection.outlook.com: domain of cryptonector.com
designates 23.83.209.24 as permitted sender) receiver=protection.outlook.com;
client-ip=23.83.209.24; helo=buffalo.birch.relay.mailchannels.net; pr=C
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1698355802; a=rsa-sha256;
cv=none;
b=o/gS2OgFMjlrVQyth+faJJEmmOgm2NfUlQR1g+zrCUWrxeunmuDgxEimeEfQ2dR6naUTo/
ZFGgMTKSunwETHg4umeYyLp78bJmz5XxCin+gJkhgTvAIUFP2OO/xFCI7BNvIHcIyC2Bmm
if+ssZdO/tf1E4iZ3YB965CnwVLLcXazAD+whb5GfBg9zjKnIVeppPaNANFl9vDW4LYow+
WiNHPMKwzgKWaUEGlvIC7U/tBLqv42eRYCX9Ir26gLdWgoKQI1hrsW7GA5EjLp4irv19SS
xaI3hsAP33Gc3BCNJbUU3InMRvFCRj6W4jHvpFC8drGowl86IOCrw0Y82pfWYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailchannels.net; s=arc-2022; t=1698355802;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=/HGpsW6Qxxm/VSVv+elZacD+1326R7IkG4h06D8PeFk=;
b=sJGjsevR0D+Audmq8ifZtqTqjpIUT+NFfwCOA9IXsW0+aCjUaUlJd2xPCVb9o+luPYbabi
8UW/2b2be8IqwFIy1Y9ncs1QjBrZ8djLMc7FB5gDHNhmf07B/GRhnpLEzk73jrBNFe+Tuq
qplrmUnr1X5Jwvydevb68tkdg+unHSTwRN1zj6icMuRBPFfLNCz/rcb8IDtq1+1f6Vii/c
CXJXulZFfY0t02joVWrD3BVWn6kqOPxlLGd/kLmeAJ5dH5rNOsh2zBLIKnLRg8A7TB2Ym3
TM6mSisTsYEI8+R/FHF64uJiIaS10gn4eEoPeTrCxq4QhKtHd666oF1Tzqod+A==
ARC-Authentication-Results: i=1; rspamd-79d8cddc67-npqcg;
auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Tart-Vacuous: 3b30643506251336_1698355802693_3117041811
X-MC-Loop-Signature: 1698355802693:494972118
X-MC-Ingress-Time: 1698355802692
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com;
s=dreamhost; t=1698355802;
bh=/HGpsW6Qxxm/VSVv+elZacD+1326R7IkG4h06D8PeFk=;
h=Date:From:To:Cc:Subject:Content-Type;
b=DtlVdvkwoAJOutcqyMoixQVAMpUdtJButI3gyytGudcAgdSmtE7MENy+ShdFkUu3r
IbEXP8UdkrdvdIF/gs8JOMCxjdR8EH4SM54RdeNIHUpXIzrFGEA5xjtuXSMxGkkTjo
F2QnFyF0/PlGi00/Irntn1kkQoPJrxh5CpPfSRGQNyLxC7+55TxBsdUpyvFJUG1MUO
Sd+psYn6FFPdM7hXq/ovjPRoFFTnLq+66bg4CQ6jglaSEztBKdyN98/VXX8lVTsiSg
u5HzlU/XMPn5+pKhxm3+QKbQNEA2W9GY8WS5vNEUuep07X9UICxDm/FKZ1l8rWE4u5
lyFj3jnGnXJKg==
Content-Disposition: inline
In-Reply-To: <202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS3PEPF000099DF:EE_|BL1PR01MB7771:EE_
X-MS-Office365-Filtering-Correlation-Id: f54fcbc3-bc48-4229-d1b7-08dbd66ab7f4
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: K1Yzzz8Tt0AfJn/180/MqImI12FHhbSxpRvh911SDol5wWAyvZWZBcU+83WwZvdE3dNTSXhJRxF1eHVgSPHVeBhw9S/rg7XOEUeJCFTYUyKltjEoeyfkp9fJ8fCYiOAbPEkFBoBQAp2Uk5c6gIvlk/+YsdIPN25KA8We2Zmpflg9YYTBy0eVOwthggF02TDfyUi/kPLK+1NuApRFYuLgpUHnDxl+vBCStVtb2syrXlOTKge7es+HCW7ROKaHNHigO1JF1Rk2Y5mWKqCmfYSkbtdQR0SNQkhxsci7WrnKmjoeSAcGQ7azlLZjXAeQUb+tkymcULfsdIu6JSOvahSlFKGmx0l10/va0iM6KPUfVyL4YiytsP7KgSoJ9/2vw+o0G7CCh7l5lRtupt7eoyvk5wo1BC6xxJc0zeNFiux8JuLPpItHzryLeGKyG2a6qh7XaMLohi3Gpt+kyGL8LQsR6VhGYGTJ4UVHpt3CLas9F+s1TITmQba+f4kNDwYxY+IcDP2aKsm88L/fTX6eOzcpDmDFratI9iUqKsEp8pyhRiMvwcRfxl1xfFSsxVvAKWFaQ/aiBzYoZCezzXYQ4C5yX5nLcCKSJcE7BIK0HxTiUYXFelGvEcnXlMu3hIG4rkD/pslOB/F8TJwdcgDr0ydF2b00OCYONkhxvhQWbK14nSPEFviu+q7Y8Uv8nQq3X3zfic8TxQNhbJ7aiNact49ukw==
X-Forefront-Antispam-Report: CIP:23.83.209.24; CTRY:CA; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:buffalo.birch.relay.mailchannels.net;
PTR:buffalo.birch.relay.mailchannels.net; CAT:NONE;
SFS:(13230031)(4636009)(39860400002)(136003)(346002)(376002)(396003)(64100799003)(451199024)(61400799006)(48200799006)(8676002)(6862004)(66899024)(4326008)(55016003)(9686003)(33716001)(86362001)(26005)(70586007)(786003)(316002)(68406010)(498600001)(7636003)(7596003)(356005)(956004)(6266002)(83380400001)(336012)(5660300002)(9576002)(2906002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Oct 2023 21:30:03.9209 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f54fcbc3-bc48-4229-d1b7-08dbd66ab7f4
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DS3PEPF000099DF.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR01MB7771
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ZTraV0714XV7hsxx@ubby21>
X-Mailman-Original-References: <202310251251.39PCpTqc026799@hedwig.cmf.nrl.navy.mil>
<ZTk62q0DIAZmW0eL@ubby21>
<CALF+FNwtDrQ0d+a=zsXyiYq6rhOiXXkqoxUnscwum0Q0wchLJQ@mail.gmail.com>
<202310261741.39QHfgIl030099@hedwig.cmf.nrl.navy.mil>
<ZTqtQYPlzdpQGyr+@ubby21>
<202310261827.39QIRu4Q000307@hedwig.cmf.nrl.navy.mil>
<ZTqw9+Etcwo8SqR4@ubby21>
<202310261838.39QIcl16000930@hedwig.cmf.nrl.navy.mil>
<ZTrAlh0a/+Vq5P4f@ubby21>
<202310262110.39QLAdhW010116@hedwig.cmf.nrl.navy.mil>

by: Nico Williams - Thu, 26 Oct 2023 21:29 UTC

On Thu, Oct 26, 2023 at 05:10:39PM -0400, Ken Hornstein via Kerberos wrote:
> Unfortunately, ANOTHER one of the "fun" rules I live under is, "Thou
> shall have no other PKI than the DoD PKI". And as much as I can
> legitimately argue for many of the unusual things that I do, I can't get
> away with that one; [...]

A CA that issues short-lived certificates (for keys that might be
software keys) is morally equivalent to a Kerberos KDC. You ought to be
able to deploy such online CAs that issue only short-lived certs.

I understand how the politics of this works, so I'm just going to say
that I feel your pain.

Presumably OpenSSH CAs are a different story because they're not x.509? :)

> We _do_ do PKINIT with the DoD PKI today; that is relatively
> straightforward with the exception of dealing with certificate
> revocation (last time I checked the total size of the DOD CRL package
> was approximately 8 million serial numbers, sigh).

Don't you have OCSP responders?

See, that's the point of CAs that issue short-lived certificates: you
don't have to worry about revocation any more than you do with Kerberos
because tickets are short-lived.

(Though one can easily issue 10 year tickets too. It's just that one
should not. I'd like to say that I suspect that no one does, but I
don't want to find out otherwise...)

> We KIND do bridging, but it's at a higher level; since almost everyone
> we deal with has an issued PKI client certificate on a smartcard we tend
> to support a bunch of ways of working with that. So you can use your
> client certificate do a bunch of things like get a Kerberos ticket,
> but we can't turn a Kerberos ticket into a DOD PKI client certificate.

Right, that makes sense.

> I mean, it seems like gssapi-with-mic is relatively widely supported
> and works (with the previously-discussed exception of the broken-assed
> Tenable client and Heimdal servers).

One of the problems I'm finding is that SSHv2 client implementations are
proliferating, and IDEs nowadays tend to come with one, and not one of
them supports GSS-KEYEX, though most of them support gssapi-with-mic, so
it makes you want to give up on GSS-KEYEX.

We have used GSS-KEYEX to do "credential cascading", and it's not enough
to support GSS-KEYEX for that: the client has to also schedule re-keys
to refresh the credentials delegated to the server.

We're starting to do something completely different: make it so the user
just does not need to delegate credentials. Typically that is because
they are not even using ssh anymore but a tightly controlled and audited
system for accessing privileged accounts, or because they are accessing
a personal virtual home server, and in the latter case we'll ensure that
they have credentials there provided by an orchestration system -- in
neither case is credential delegation necessary, and certainly not
credential cascading.

Nico
--

Subject	Author
Re: RFC 4121 & acceptor subkey use in MIC token generation	Nico Williams