On Fri Nov 7 01:57:42 2003, Oliver Schoett said: > The design seems to be asymmetric in that the need to store a secret > long-term key at the client has been avoided (the client only needs to > store its TGT), but a secret long-term key at the server is still > necessary. I am afraid our customer will complain about this ...
Oliver, Well, it's actually a little more symmetric than that. If the client is acting on behalf of a user at a terminal, then the secret long-term 'key' IS stored - in the user's biological memory (in the form of a password that gets converted to the key). The server's keytab plays a role analogous to a human user's memory. If a client must authenticate while unattended by a human, then the key WOULD have to be stored somewhere on the client. BTW: I'm speaking basic Kerberos protocol here, not about particularly about GSS. Mike ------------------------------------------------------------------------------ Mike Friedman System and Network Security [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu ------------------------------------------------------------------------------ ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
