Received: by 10.204.143.143 with SMTP id v15mr188343bku.8.1333110903037;
        Fri, 30 Mar 2012 05:35:03 -0700 (PDT)
MIME-Version: 1.0
Path: h15ni66259bkw.0!nntp.google.com!news2.google.com!goblin1!goblin.stu.neva.ru!news.glorb.com!news-out.readnews.com!news-xxxfer.readnews.com!panix!bloom-beacon.mit.edu!senator-bedfellow.mit.edu!senator-bedfellow.mit.edu!dreaderd!not-for-mail
X-AuditID: 1209190e-b7f7c6d0000008c3-1b-4f75a5ac2e81
Authentication-Results: symauth.service.identifier
From: Ken Hornstein <k...@cmf.nrl.navy.mil>
To: John Devitofranceschi <j...@optonline.net>
Subject: Re: NIST LOAs and Kerberos
In-Reply-To: <C2253E5D-EF5E-4302-94AF-9E5B8052137D@optonline.net>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
	WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
	gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK; C*}fMI;
	Mv(aiO2z~9n.w?@\>kEpSD@*e`
Date: Fri, 30 Mar 2012 08:23:00 -0400
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned: No virus found
X-Scanned-By: MIMEDefang 2.68 on 134.207.12.162
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrJIsWRWlGSWpSXmKPExsXSdp5nke6apaX+Bj861S3mrT/K6sDo0XTm
	KHMAYxSXTUpqTmZZapG+XQJXxuXdi5gL3jNVbLizj7WBcQlTFyMnh4SAicT+ZR/YQWxGASOJ
	3edesULExSQu3FvP1sXIxSEkcItR4uWNBkYI5y6jxOvePcwgVbwCjhKHn2wDm8QmoC3RuqQH
	zBYR0JNYcHcR2FRmARGJw3PnsYHYwgLKEhcmfgSzOYF6N555xAwyVELgHqNE942rjCAJFgFV
	iTNnD7FBnGEocWHaBqhT1SSOHtzNCGHrS8x4uopxAqPAAkaGVYyyKblVurmJmTnFqcm6xcmJ
	eXmpRbrGermZJXqpKaWbGIHhJMQpybeD8etBpUOMAhyMSjy8C2tL/IVYE8uKK3MPMUpyMCmJ
	8s5eXOovxJeUn1KZkVicEV9UmpNafIhRgoNZSYS3ezVQOW9KYmVValE+TEqag0VJnFdN652f
	kEB6YklqdmpqQWoRTJaJg/0QowwHh5IELxcwgoQEi1LTUyvSMnNKkNVwgggukDU8QGvOLgEq
	5C0uSMwtzkyHKDrFqCglDjFBACSRUZoHNwCUAur///9/iVFWSpiXkYGBQYgH6AKgxxHyoBTy
	ilEc6Glh3jcg43ky80rgpr8CWswEtJiZF+S/4pJEhJRUA+OygJ5tZRJLm/7f9Z+1rj9ibUrq
	Pm39YK2vqs8M/srk2hYf3qXf+uCcN9e5+tkH5yser7rgH24ed6aL6+CiiT2hIhvc3SfenH3m
	2s74GVw13Ks/TFw26bde7O8dJ2fEi99OMPqTuf7m5/hIgeSFx6TmLq9S3FHjE2r4+Ifx/TVe
	U9eY/VF4UBauxFKckWioxVxUnAgAhv+gbPwCAAA=
Cc: kerbe...@mit.edu
X-BeenThere: kerbe...@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-requ...@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerbe...@mit.edu>
List-Help: <mailto:kerberos-requ...@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
	<mailto:kerberos-requ...@mit.edu?subject=subscribe>
Newsgroups: comp.protocols.kerberos
Message-ID: <mailman.267.1333110195.12789.kerbe...@mit.edu>
Lines: 9
NNTP-Posting-Host: PCH.MIT.EDU
X-Trace: 1333110195 senator-bedfellow.mit.edu 19765 18.7.21.90:39871

>Does this mean that in order to consider one's KDC infra LOA3 compliant
>one needs to hold the principal database in a compliant hardware
>security module? Or am I missing something here?

You're in trouble even if you did that anyway.  Look at section 9.3.2.2.
By my reading of that, with the traditional use of Kerberos you can't
go above Level 1.

--Ken