Shaun Savage wrote:
> Hi
> After reading the responses, I would like to sum it up.
>
> 1> KDC is the weak link.
> 2> requires special services and applications.
> 3> scales up well
> 4> basicly good general auth system.
> 5> implimantation problems.
You left out that it does *not* scale down well.
> Things were said about public key vs symmetric key. The problem with
> public key crypto is that the private key requires secure private
> storage. In a community/public workstation network, storage of that
> public key is needs a central server or user held storage device for
> the private key (smartcards, memory cards or sticks).
Symmetric key does not actually improve this situation:
* in *both* cases, each client has to securely store their key
* the difference is:
o public key: the KDC *publishes* the client's public keys
o symmetric key: the KDC must keep copies of all client's
private keys, so they have to be confidential
> Is there a better open protocol for user auth in a community/public
> workstation network?
Huge enormous butt-load of them. Look for products marketed as "SSO",
"Single Sign On" or "Authentication server".
> If a better open protocol is needed, what would be the specs?
Leading contenders for protocols, open or otherwise, would be:
* SSL/X.509: the VeriSign/CA solution. You don't have to use
VeriSign certs; you can be your own CA instead. Vendors include
people like Entrust, Baltimore, RSA, BBN, and Schlumberge.
* SSH: doesn't have a PKI built into it, which is why it scales down
so well. But that doesn't stop you from setting up a PKI. However,
there is no open standard for SSH PKI.
* Liberty Alliance (guarded skepticizm)
* Microsoft Passport (abject terror :)
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 19:55:16 PDT