[OpenAFS] Re: feasibility of moving lightweight-principals issue "upstream" to kerberos

Adam Megacz megacz@cs.berkeley.edu
Fri, 30 Dec 2005 21:01:00 -0800

Russ Allbery <rra@stanford.edu> writes:
>> Okay, you're right.  There are projects out there that are working on
>> solving this -- and this covers half my concern.  The other half is
>> users who do not belong to a realm (ie those users who are not
>> affiliated with a university and don't have their own server to run a
>> private KDC on).

> In order to authenticate, they have to be able to talk to some
> authentication service somewhere.

Hrm, but I can check a public key signature even if I'm stranded on a
desert island without "live" access to the CA.  I can't do kerberos
authentication with a peer on a desert island -- I need "live" access
to the KDC.

I mean, you can self-sign a certificate and give a paper copy to
somebody at a conference -- all without having to lease a server
that's "always-on".

I know these aren't the most realistic examples; I'm just trying to
call attention to this requirement that a lot of people can't (or
won't) meet.

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380