OpenSSH PKCS#11merge
Carson Gaspar
carson at taltos.org
Thu Sep 27 19:38:30 EST 2007
Alon Bar-Lev wrote:
> Kerberos is a single point of failure in term of availability and security.
Ummm... how? If you have 50 KDCs, what single point of availability
failure is there? Yes, a compromised KDC key store is bad, but then so
is a compromised CA. Actually, I'd say the compromised CA is worse (or
has revocation actually been deployed in the real world yet? Oh wait, it
hasn't been.)
> Even if Kerberos is a good solution for one domain network, how can
> you access foreign networks?
Cross-realm trust
> And even if you Kerberos the whole world... How can you securely
> access the Kerberos KDC when the KDC is down?
Have more than one... duh.
> Just like OpenSSH can access file based keys it should be able to use
> smarcard based keys and PKCS#11 is the common interface to access
> smartcards.
I'm not against smartcard support. But Kerberos bashing is not the way
to get it. Especially underinformed (if I'm being charitable) bashing.
PKI, solving yesterday's problems, tomorrow, for over a decade...
--
Carson
More information about the openssh-unix-dev
mailing list