[OpenAFS] Re: why kerberos only works in monolithic organizations

Adam Megacz megacz@cs.berkeley.edu
Tue, 03 Jan 2006 16:43:00 -0800


"Douglas E. Engert" <deengert@anl.gov> writes:
>>>Maybe it's me, but I've never really seen the difference between a junk
>>>certificate and a Kerberos ticket;

>> Somebody with no prior trust relationship can check the validity of a
>> junk certificate.

> Not nessesarily. Only if the CA certificate used to sign the "junk
> certificate" is trusted in some way.

>From the context of the discussion it should have been clear that I
was speaking from the CA/KDC's perspective.

I cannot check the validity of a Kerberos identity if the KDC does not
"know that I exist", while I can check the validity of an X.509
certificate even if the CA does not know that I exist.

  - a