Adam Megacz <[EMAIL PROTECTED]> writes: > Russ Allbery <[EMAIL PROTECTED]> writes:
>> In order to authenticate, they have to be able to talk to some >> authentication service somewhere. > Hrm, but I can check a public key signature even if I'm stranded on a > desert island without "live" access to the CA. I can't do kerberos > authentication with a peer on a desert island -- I need "live" access to > the KDC. The CA that signs that certificate to attest that it really belongs to that person is the authentication services. You're certainly correct that public key authentication can do off-line verification whereas traditional Kerberos cannot. > I mean, you can self-sign a certificate and give a paper copy to > somebody at a conference -- all without having to lease a server that's > "always-on". In that case, the person to whom you're handing the certificate and who is verifying that you are who you say you are is the authentication service. > I know these aren't the most realistic examples; I'm just trying to call > attention to this requirement that a lot of people can't (or won't) > meet. To some degree, the disagreement here is more based on terminology than real disagreement over goals and possibilities. Many of us are used to trying to analyze security systems by identifying where the authentication and authorization are happening. There's always an authentication service hidden somewhere, even if it's in a non-traditional form, and that's still generally where the hard problems are. What it sounds to me like you're saying is that you want to grant access to your AFS cell (authorize) people for whom you have no traditional authentication provider. Sure, I get this. Lots of people want to do this. The answer is to find an authentication provider that will work for those people. But you're still going to be doing authentication (and therefore identity management, since you want your authentication system to satisfy certain identity binding requirements which will require at least some form of identity management). -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
