Shaun Savage wrote: > Kerberos has been around for a while. ~ Is it still good? > ~ Does it scale well? Kerberos has the advantage of scaling UP well: it was designed for large organizations. It also has the advantage of having been designed by some very serious security people, so the crypto is good. But it also has some significant disadvantages: * Symmetric crypto: this requires a centralized authentication server that holds everyone's personal private key. Makes for a single point of failure. * Does not scale DOWN well: kerberos is a pain in the ass to set up ad hoc on a small network, or to deploy as an individual in a network that does not support kerberos. * Requires the use of "kerberized" applications. Done right, this can be a security advantage, but it mostly means that you have to run a weird variant of many stock utilities. * The open source version commonly used on Linux has a long, sorry history of software vulnerabilities. My engineers curse at the name of kerberos. You be the judge :) Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 22:45:17 PDT