[OpenAFS] why kerberos only works in monolithic organizations

[Russ Allbery]

Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:

> I was trying to be nice ... but yes, I agree with you.  Perhaps "great"
> is too strong.  So far, it seems that there haven't been too many
> problems in the common "I'm want to be sure I'm actually visiting
> https://www.paypal.com and not someone else" case ... if there was
> someone who was handing out paypal/amazon/ebay certificates and they
> were listed as a trusted CA in web browsers, people would be all over
> them.

I think there haven't been many problems in practice because in practice
people don't use SSL certificates for authentication.  They're used to
bootstrap encryption, but most end-users never bother to check anything
about the SSL certificate.  The verification procedures are horribly
inadequate for real security, but authentication is mostly done via being
careful about what's in the URL bar and what one clicks on.

I get regular messages from my bank telling me to never click on any link
for them in an e-mail message and to type their URL in by hand from paper
mail and then bookmark it.  If SSL certificate checking were effective
authentication, this sort of nonsense wouldn't be necessary, but in
practice there are so many ways around it (browser bugs that change the
URL bar, using domains like www.major-bank.ssl-verified.com, using
disguised URLs in e-mail messages where the link text says you're going
one place and the URL goes somewhere else, disguising URLs using username
or password components to the URL, etc.) that people don't even bother to
attack via getting bogus SSL certificates.  Not that that would be
particularly hard either (although as you say, if it affected major sites
there would be a big stink).

> That one time Verisign gave out a Microsoft code-signing certificate to
> some unknown person (I thought it was Verisign, but maybe it wasn't
> ... it was one of the big names though), it was a huge deal.  But before
> I trusted a Verisign-signed certificate, I'd want to do some out-of-band
> verification that it belonged to who they said it did ... and in that
> case, the person should just save their money and give me their
> certificate directly to sign.  If there was a PKI I felt I could trust,
> I'd feel differently.

Yeah, exactly.

There are PKIs that one can trust in particular problem domains (InCommon
appears to be doing a reasonable job with Shibboleth, for instance), but
for general identity management for any random person or site?  Not so
much.

And that doesn't even get into the problems of multiple people with the
same name, people who change their names but have credentials tied to
their old names, people with obscure and changing affiliations, people who
lose their credentials, and all the other fun of real-life identity
management.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>