[OpenAFS] why kerberos only works in monolithic organizations
Fri, 30 Dec 2005 10:12:56 -0800
Ken Hornstein <email@example.com> writes:
> In theory you don't need to encrypt the CA certificate, but you should
> verify it's integrity somehow. This is one of the places where PKI
> tends to cheat; it works great in the usual case where web browsers have
> a standard list of CAs that they accept.
For values of great equal to "trusting a bunch of commercial CAs proven to
be willing to hand out signed certificates to random people with only a
minimum of identification." I definitely would not trust, say, Verisign
to do identity management properly. They're more interested in making
> While I agree it removes the need to share a _secret_, they still need
> to have some sort of trust relationship that should in theory involve
> some out-of-band initialization. At the end of the day, I don't see
> this fundamentally easier than the initialization that Kerberos does.
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>