[Discuss] Why the dislike of X.509?
Richard Pieri
richard.pieri at gmail.com
Wed Aug 27 14:13:31 EDT 2014
As an aside:
On 8/26/2014 1:04 PM, Derek Atkins wrote:
> You (or someone) also brought up Kerberos. Kerberos *IS* a key escrow
> system. If an attacker breaks into your KDC they literally have all the
> keys to your kingdom. Not only can they impersonate anyone, they can go
I operate a Kerberos realm. I am not able to tell my users their
passwords. I don't have them. Kerberos stores one-way hashes of users'
passwords. I could brute force the database with sufficient time but
that is steps removed from having the actual keys in my hands.
A bad actor can do quite a bit with a compromised KDC but these things
are well known. Steps to prevent compromise are well documented as are
steps to identify compromised KDCs and mitigate the damage that they can do.
--
Rich P.
More information about the Discuss
mailing list