Arshad Noor <[EMAIL PROTECTED]> writes: > That said, Kerberos clearly has the benefit of 20+ years of research > and use in the field. However, there are two fundamental differences > between SKSML and Kerberos, IMHO: > > 1) The design goals for Kerberos were very different from SKSML. The > former solves the problem of network-authentication in the face of > insecure hosts/networks, while the latter focuses on long-term key > management.
Well, kerberos does both, really. It also has the advantage that it is fully specified and integrates with GSSAPI. > That they both use very similiar concepts & components > to deliver quite different benefits to applications is testament to > the strength and flexibility of the underlying components rather > than to a weakness of SKSML. > > 2) AFAIK, Kerberos clients cannot deliver their stated benefit (network > authentication) in the absence of the network or the Kerberos server. It is generally hard to deliver network authentication without a network. That said, kerberos tickets can persist even in the face of disconnects, so once you've connected tickets can survive as long as you wish. > SKSML is designed to allow disconnected EKMI clients to continue > providing cryptographic services to applications even in the absence > of the network or the key-management server. However, it does > require that the Symmetric Key Client Library (SKCL) have connected > to the Symmetric Key Services (SKS) server at least once before it > can use this capability. That's no different from Kerberos, and kerberos works quite well already. Perry -- Perry E. Metzger [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
