[OpenAFS] Re: feasibility of moving lightweight-principals issue "upstream"
to kerberos
Adam Megacz
megacz@cs.berkeley.edu
Fri, 30 Dec 2005 21:01:00 -0800
Russ Allbery <rra@stanford.edu> writes:
>> Okay, you're right. There are projects out there that are working on
>> solving this -- and this covers half my concern. The other half is
>> users who do not belong to a realm (ie those users who are not
>> affiliated with a university and don't have their own server to run a
>> private KDC on).
> In order to authenticate, they have to be able to talk to some
> authentication service somewhere.
Hrm, but I can check a public key signature even if I'm stranded on a
desert island without "live" access to the CA. I can't do kerberos
authentication with a peer on a desert island -- I need "live" access
to the KDC.
I mean, you can self-sign a certificate and give a paper copy to
somebody at a conference -- all without having to lease a server
that's "always-on".
I know these aren't the most realistic examples; I'm just trying to
call attention to this requirement that a lot of people can't (or
won't) meet.
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380