logo_kerberos.gif

Projects/Geolocation Policy

From K5Wiki
Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Use Case

  1. Person travels abroad. When authenticating to his corporate Kerberos-enabled system, he uses some location-related measurement Device together with the other authentication means. The geolocation claim is passed to the KDC with the initial request. There it is evaluated by a designated service and, based on the result of the evaluation and local policies, KDC proceeds with issuing, or not, the ticket.
  2. The client's geolocation maybe used for Audit purposes.

Purpose

Define a new Geolocation policy and create an infrastructure to allow KDC to deal with the geolocation information.

Design

Client contacts Location Information Service (LIS) with the geolocation claim. LIS evaluates the claim (geographical and network attachment) and issues certificate confirming correctness of the claim. Client sends this certificate to KDC. KDC uses its PKINIT facilities to process the certificate.

(An alternative to improve geo confidence... Does the satellite-based signing authority exist? It would be great if it could sign the KDC token related to clients geo-location claim. )

Related references

  1. draft-ietf-geopriv-held-measurements
  2. IETF geopriv charter