Realm Crossover: User Identity Delegation
There are a few mechanisms for realm crossover of authenticity (Kerberos via KXOVER, SASL with end-to-end KIP encryption). These could be used to retrieve key material.
Since a realm controls its users anyway, it makes sense to delegate that as an explicit prerogative, thus removing the need to ask a remote realm on every inspection. It may even be built into transport protocols to rewrite the KIP keying via a tic-toc with its local KIP service, so it is not the decryption but the reception that is visible to the sender realm.
KIP services need crossover connections to do this. Their naming kip/host.name@REALM
is good enough to make that clearly distinguishable, certainly with host.name
also stated in DNS SRV records[0]. Such a service could be delegated the prerogative to cator to local users when the ACL allows local users.
The delegation would be a re-issuance of the key, with a constrained ACL. The client protocol may also show this, as a kind of "redirection" of keys. Showing this to the client enables them to cache it, so the realm's KIP service can continue to be stateless.
Typically, this rewriting of the keying headers in KIP would be done during such interfaces as AMQP 1.0 to get into the Reservoir. Both sender and recipient would deal with their local KIP service, but the services get together for key control delegation.
[0] Do check REALM
validity! perhaps through _kerberos TXT
in DNS.