[OpenAFS] Re: why kerberos only works in monolithic organizations

Ken Hornstein kenh@cmf.nrl.navy.mil
Wed, 04 Jan 2006 00:38:47 -0500

>>>>Maybe it's me, but I've never really seen the difference between a junk
>>>>certificate and a Kerberos ticket;
>>> Somebody with no prior trust relationship can check the validity of a
>>> junk certificate.
>> Not nessesarily. Only if the CA certificate used to sign the "junk
>> certificate" is trusted in some way.
>>From the context of the discussion it should have been clear that I
>was speaking from the CA/KDC's perspective.

I think you mean "From an application server's perspective", because they're
the ones who really care about identity validation.

>I cannot check the validity of a Kerberos identity if the KDC does not
>"know that I exist", while I can check the validity of an X.509
>certificate even if the CA does not know that I exist.

Well, the steps are sort of the same, in that they require roughly the
same amount of management.  In Kerberos, you have to have a registered
service key to decrypt an AP_REQ.  With an X.509 certificate, you have
to compare the cert's signature against a CA you've somehow designated
as "trusted" ... and then you have to compare certificate against
the CRL, which is the real rub (and really makes offline verification
unfeasible, IMHO).  I say these two are roughly equal, because the amount
of work you need to do for the X.509 certificate is larger, but requires
no KDC registration; it sort of balances out.

Now, you will point out that even with all of the extra stuff X.509
requires you to do, you don't need to register anything with the
KDC.  That's a fair point.  However ... that really should only be
an issue if your KDC admins are complete uncoporative bastards,
incompetent, or both; we give out service tickets in our realm for
services to verify client credentials to all sorts of people in our
organization (outside of our organization, we let cross-realm take
care of that).  I fully admit that PKI works better when you have
admins that suck.

If I had the desire to allow any random person to verify client
credentials in my realm (I don't currently), I think I would put
up a web page where anyone could request "junk" service keys in my
realm for this purpose.  You'd have to put some constraints on them
to prevent some security problems, but I think with some careful
thinking it could be workable.