Ken Hornstein wrote: > When I cornered one of the Globus guys and asked him point-blank the > same question, he told me that in his opinion the decision to do PKI > was really driven politically from the top, and he thought Kerberos > made a LOT more sense.
the original pk-init draft for kerberos specified certificateless operation http://www.garlic.com/~lynn/subpubkey.html#certless you basically registered a public key with kerberos in lieu of a password and then used digital signature authentication with the onfile public key (no PKI and/or digital certificates required). http://www.garlic.com/~lynn/subpubkey.html#kerberos this was basically an authentication technology upgrade w/o having to introduce any new business processes and extraneous infrastructure operations. it was later that certificate-based operation was added to the kerberos pk-init draft. i gave a talk on this at the global grid forum #11 http://www.garlic.com/~lynn/index.html#presentation at the meeting there was some debate on kerberos vis-a-vis radius as an authentication & authorization business process infrastructure. note that in addition to their having been a non-PKI, <b>certificate-less</b> authentication upgrade for kerberos (using onfile public keys), there has been a similar proposal for RADIUS; basically registering public keys in lieu of passwords and performing digital signature authentication with the onfile public keys. http://www.garlic.com/~lynn/subpubkey.html#radius Straight forward upgrade of the authentication technology w/o having to layer on a separate cumbersome PKI business process. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
