[OpenAFS] Re: why kerberos only works in monolithic organizations
Adam Megacz
megacz@cs.berkeley.edu
Fri, 30 Dec 2005 12:57:26 -0800
Commercial CA's are a red herring.
Key distribution will always be a challenge, and commercial CA's are
unlikely to ever be the right/best solution. However, public key
crypto changes the problem from "secure two-way channel" to
"tamper-proof advertisement."
Example: the fact that the BERKELEY.EDU kdc admin had to add an entry
to the kdc for my AFS server *just so that I could verify the
identities of its users* is a technological anachronism. All that
should have been necessary is for me to access a place where some
"BERKELEY.EDU public key" is reliably advertised. Any requirement
stronger than that is a needless burden.
- a