Re: OpenSSH PKCS#11merge
This is a discussion on Re: OpenSSH PKCS#11merge within the OpenSSH Development forums, part of the Networking and Network Related category; Alon Bar-Lev wrote: > Kerberos is a single point of failure in term of availability and security. Ummm... how? ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-27-2007
|
|||
|
|||
Re: OpenSSH PKCS#11merge
Alon Bar-Lev wrote:
> Kerberos is a single point of failure in term of availability and security. Ummm... how? If you have 50 KDCs, what single point of availability failure is there? Yes, a compromised KDC key store is bad, but then so is a compromised CA. Actually, I'd say the compromised CA is worse (or has revocation actually been deployed in the real world yet? Oh wait, it hasn't been.) > Even if Kerberos is a good solution for one domain network, how can > you access foreign networks? Cross-realm trust > And even if you Kerberos the whole world... How can you securely > access the Kerberos KDC when the KDC is down? Have more than one... duh. > Just like OpenSSH can access file based keys it should be able to use > smarcard based keys and PKCS#11 is the common interface to access > smartcards. I'm not against smartcard support. But Kerberos bashing is not the way to get it. Especially underinformed (if I'm being charitable) bashing. PKI, solving yesterday's problems, tomorrow, for over a decade... -- Carson _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org https://lists.mindrot.org/mailman/li...enssh-unix-dev 
|
Linear Mode
