>>>>Maybe it's me, but I've never really seen the difference between a junk >>>>certificate and a Kerberos ticket; > >>> Somebody with no prior trust relationship can check the validity of a >>> junk certificate. > >> Not nessesarily. Only if the CA certificate used to sign the "junk >> certificate" is trusted in some way. > >>From the context of the discussion it should have been clear that I >was speaking from the CA/KDC's perspective.
I think you mean "From an application server's perspective", because they're the ones who really care about identity validation. >I cannot check the validity of a Kerberos identity if the KDC does not >"know that I exist", while I can check the validity of an X.509 >certificate even if the CA does not know that I exist. Well, the steps are sort of the same, in that they require roughly the same amount of management. In Kerberos, you have to have a registered service key to decrypt an AP_REQ. With an X.509 certificate, you have to compare the cert's signature against a CA you've somehow designated as "trusted" ... and then you have to compare certificate against the CRL, which is the real rub (and really makes offline verification unfeasible, IMHO). I say these two are roughly equal, because the amount of work you need to do for the X.509 certificate is larger, but requires no KDC registration; it sort of balances out. Now, you will point out that even with all of the extra stuff X.509 requires you to do, you don't need to register anything with the KDC. That's a fair point. However ... that really should only be an issue if your KDC admins are complete uncoporative bastards, incompetent, or both; we give out service tickets in our realm for services to verify client credentials to all sorts of people in our organization (outside of our organization, we let cross-realm take care of that). I fully admit that PKI works better when you have admins that suck. If I had the desire to allow any random person to verify client credentials in my realm (I don't currently), I think I would put up a web page where anyone could request "junk" service keys in my realm for this purpose. You'd have to put some constraints on them to prevent some security problems, but I think with some careful thinking it could be workable. --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
