[OpenAFS] Re: why kerberos only works in monolithic organizations
Tue, 03 Jan 2006 16:43:00 -0800
"Douglas E. Engert" <email@example.com> writes:
>>>Maybe it's me, but I've never really seen the difference between a junk
>>>certificate and a Kerberos ticket;
>> Somebody with no prior trust relationship can check the validity of a
>> junk certificate.
> Not nessesarily. Only if the CA certificate used to sign the "junk
> certificate" is trusted in some way.
>From the context of the discussion it should have been clear that I
was speaking from the CA/KDC's perspective.
I cannot check the validity of a Kerberos identity if the KDC does not
"know that I exist", while I can check the validity of an X.509
certificate even if the CA does not know that I exist.