On Tue, Jun 05, 2007 at 11:45:04AM -0700, Henry B. Hotz wrote: > On Jun 5, 2007, at 11:09 AM, Nicolas Williams wrote: > >Usually the way this is addressed is by having an OTP vendor provided > >API that sends the OTP to a remote server for verification, and that > >remote server is clustered. > > The problem with this is that your OTP system is validating the KDC, > not the real client. Why should I pay an OTP vendor to validate my KDC?
Huh? No, the OTP came from the client. It's the KDC's (and the client's) job to protect it from passive and preferably also active attackers, but the OTP authenticates the user, not the KDC. > This is the problem that the Krb WG is worried about, but it gets > into what I said at the beginning. I don't think they're addressing > the real problem. They're going down that path because they have > vendors working on the standards that want to validate my KDC, and > they think they can make it work, not because it's the right solution. Either I'm missing something or you are. I suggest that you take your concerns to the IETF KRB WG list. There's no point in further discussing this matter here since this is really not an appropriate forum for protocols being developed and standardized there. > You may bring this discussion up with whatever IETF groups are > relevant. I'm afraid I've come to the conclusion ATM, that I don't > have the time to pursue a real solution in either the standards or > the implementation senses of the word. That's too bad. I don't understand or agree with your position, thus I cannot be an advocate for it. You spent a good deal of time and effort on _this_ list. It wouldn't represent any significant additional effort to post a link for this thread on the KRB WG list. Nico --
