Tim Alsop wrote: > > Oliver, > > The design seems to be asymmetric in that the need to store a secret long-term key > at the client has been avoided (the client only needs to store its TGT), but a > secret long-term key at the server is still necessary. I am afraid our customer > will complain about this ...
If you customers are using a Windows domain, and login to the workstation using the domain, the workstation has a long term secret, setup by the AD administrator at some time. Microsoft stores the machine password and derives a key from this rather then just storing a key. AD uses Kerberos under the covers. > > This is not the case if you use user-to-user GSS since the server uses a secret > derived from a userid/password logon. Please read my earlier reply on this subject. > > Tim. > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
