Nico Williams <[email protected]> writes: > On Fri, Jan 18, 2013 at 1:35 PM, Russ Allbery <[email protected]> wrote:
>> Er, it's still a good security practice to use a separate set of >> credentials that you don't type into everything all the time to do your >> daily work. Particularly given that we still live in a world where >> there's a lot of SASL PLAIN over TLS. > That might be true, but a) do you really think that people use > different passwords for */admin principals than their regular user > principals? We certainly do, and this is actually quite easy to programmatically enforce. But given the small number of people involved, it's not that difficult to train them appropriately. > and b) there's no reason that we couldn't have different credentials for > this without having different identifiers. It's by far the easiest way to do that, though. >> So no, there is definitely a point. > But I don't believe that distinct names is necessary for this. One of the things I really like about Kerberos is the ability to have multiple identities for a particular person with different security profiles or different contexts. We use this a lot. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
