Cross-realm operations in Kerberos allow users to access services offered by foreign realms. The cross-realm operations are based on inter-realm trust built using shared symmetric keys (aka. inter-realm keys) between the KDCs of the realms offering cross-realm services. The current cross-realm authentication model may be the origin of performance, scalability and security issues. This documents provides a brief overview of these issues and introduces a new cross- realm model based on PKINIT. The new model called XTGSP, defines a protocol that allows a client to obtain a service ticket, for a service offered by a foreign realm, in a single round trip. The protocol specifies an exchange between Kerberos KDCs that enables a local KDC to build a TGS-REP message for a service that is registered in a remote realm. The XTGSP exchange is secured using inter-realm keys maintained using the the PKINIT extension.