> authentication systems. People say they would rather implement
> something based on public keys than Kerberos because Kerberos has a
> higher administrative cost and the cross realm work is too high.
>
> As far as I can tell the work levels are equivalent.
Even if the work levels are equivalent. Kerberos requires a server
which stores keys. If compromised, it gives someone "the keys to the
kingdom".
Public key solutions store the secrets in a distributed fashion.
(E.g., each user guards his private key, usually protected with
a pass-phrase, which has the side advantage that users *might*
have a better assurance of privacy from administrators).
Although the CA key must be securly guarded, normal processing
(i.e., authentication) does not require the CA private key, and
it is easier to safeguard a floppy (or whatever) containing the
CA's private key that can be taken with you than a machine which must
stay running on a network and therefore protected both physically
and hack-tronically.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
