logo_kerberos.gif

Projects/Geolocation Policy

From K5Wiki
< Projects(Difference between revisions)
Jump to: navigation, search
(Initial purpose statement)
 
(Added Design section)
Line 3: Line 3:
 
== Use Case ==
 
== Use Case ==
   
# Person travels abroad. When authenticating to his corporate Kerberos-enabled system, he uses some location-related measurement Device together with other authentication means. The information from the Device - such as geographical and/or DNS location - is encrypted and passed to the KDC with the initial request. There it is evaluated by a designated service and, based on the result of the evaluation, KDC proceeds with issuing, or not, the ticket.
+
# Person travels abroad. When authenticating to his corporate Kerberos-enabled system, he uses some location-related measurement Device together with the other authentication means. The geolocation claim is passed to the KDC with the initial request. There it is evaluated by a designated service and, based on the result of the evaluation and local policies, KDC proceeds with issuing, or not, the ticket.
# Use geolocation for Audit.
+
# The client's geolocation maybe used for Audit purposes.
   
 
== Purpose ==
 
== Purpose ==
   
 
Define a new Geolocation policy and create an infrastructure to allow KDC to deal with the geolocation information.
 
Define a new Geolocation policy and create an infrastructure to allow KDC to deal with the geolocation information.
  +
  +
== Design ==
  +
  +
Client contacts Location Information Service (LIS) with the geolocation claim. LIS evaluates the claim (geographical and network attachment) and issues certificate confirming correctness of the claim. Client sends this certificate to KDC. KDC uses its PKINIT facilities to process the certificate.
  +
   
 
==Related references==
 
==Related references==
   
# [http://http://www.ietf.org/id/draft-ietf-geopriv-held-measurements-07.txt draft-ietf-geopriv-held-measurements-07]
+
# [http://datatracker.ietf.org/doc/draft-ietf-geopriv-held-measurements/ draft-ietf-geopriv-held-measurements]
  +
# [http://datatracker.ietf.org/wg/geopriv/ IETF geopriv charter]

Revision as of 13:52, 1 August 2013

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Contents

Use Case

  1. Person travels abroad. When authenticating to his corporate Kerberos-enabled system, he uses some location-related measurement Device together with the other authentication means. The geolocation claim is passed to the KDC with the initial request. There it is evaluated by a designated service and, based on the result of the evaluation and local policies, KDC proceeds with issuing, or not, the ticket.
  2. The client's geolocation maybe used for Audit purposes.

Purpose

Define a new Geolocation policy and create an infrastructure to allow KDC to deal with the geolocation information.

Design

Client contacts Location Information Service (LIS) with the geolocation claim. LIS evaluates the claim (geographical and network attachment) and issues certificate confirming correctness of the claim. Client sends this certificate to KDC. KDC uses its PKINIT facilities to process the certificate.


Related references

  1. draft-ietf-geopriv-held-measurements
  2. IETF geopriv charter
Personal tools