[Discuss] Why the dislike of X.509?

[Richard Pieri]

On 8/25/2014 3:55 PM, markw at mohawksoft.com wrote:
> If your system is compromised, you can be pretty sure that the attackers
> will be able to erase their tracks. This is the nature of cracking. The
> only way to be sure is to monitor access via an external logging system.

Again with the gross misrepresentation. Kerberos isn't necessarily
centralized. It can be compartmentalized so that the entire organization
isn't vulnerable to a single KDC compromise. Additionally, Kerberos
itself has mechanisms to detect tampering. They can be worked around but
doing so is much more difficult than using a stolen root certificate to
cut and sign rogue node and site certificates.


> No security can withstand privileged access.

True, but with PKI and escrow a single attack can silently compromise
the entire domain in one go.

-- 
Rich P.