[OpenAFS] Re: why kerberos only works in monolithic organizations

Adam Megacz megacz@cs.berkeley.edu
Fri, 30 Dec 2005 12:57:26 -0800


Commercial CA's are a red herring.

Key distribution will always be a challenge, and commercial CA's are
unlikely to ever be the right/best solution.  However, public key
crypto changes the problem from "secure two-way channel" to
"tamper-proof advertisement."

Example: the fact that the BERKELEY.EDU kdc admin had to add an entry
to the kdc for my AFS server *just so that I could verify the
identities of its users* is a technological anachronism.  All that
should have been necessary is for me to access a place where some
"BERKELEY.EDU public key" is reliably advertised.  Any requirement
stronger than that is a needless burden.

  - a