On Tue, Jul 16, 2002 at 01:20:11PM -0700, Shaun Savage wrote: > Kerberos has been around for a while. > ~ Is it still good? > ~ Does it scale well? My biggest complaint against Kerberos is that it basically tries to replicate Public Key Crypto with nothing but Symmetric Crypto. This leads to a neccesarily complicated design. My secondary complaint is that it requires application support. (To a certain extent, all distributed authentication infrastructures will require application support, but this will limit your options for many services.) (I'm not too concerned about attackers getting a hold of private authentication tokens while decrypted on the local machine -- as far as I can figure, only challenge-response authentication techniques using hardware tokens of some sort could circumvent this attack, which is typically beyond the budget and requirements of most organizations. Yes, paper printed skey authentication is pretty cheap, but I expect support costs would be higher than one might care to spend on passwords.) As near as I can tell, Kerberos is much like NFS: In use because it was first, not because it is the best possible solution. -- http://sardonix.org/
This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 23:49:08 PDT