Adam Megacz wrote: > Commercial CA's are a red herring. > > Key distribution will always be a challenge, and commercial CA's are > unlikely to ever be the right/best solution. However, public key > crypto changes the problem from "secure two-way channel" to > "tamper-proof advertisement." > > Example: the fact that the BERKELEY.EDU kdc admin had to add an entry > to the kdc for my AFS server *just so that I could verify the > identities of its users* is a technological anachronism. All that > should have been necessary is for me to access a place where some > "BERKELEY.EDU public key" is reliably advertised. Any requirement > stronger than that is a needless burden. > > - a
This is exactly what PKCROSS when implemented will provide you. You will be able to say that in your Kerberos realm, MEGACZ.COM, you are willing to exchange a key with BERKELEY.EDU so that you can trust its authentication of its users. You would then configure your AFS cell so that it is willing to issue AFS IDs to remote users from BERKELEY.EDU as many sites already do today. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
