[Discuss] Why the dislike of X.509?
Richard Pieri
richard.pieri at gmail.com
Fri Aug 29 10:42:01 EDT 2014
On 8/29/2014 7:12 AM, Derek Atkins wrote:
> So let me rephrase, because you're right a "dump" of the kdc database is
> still encrypted in the master key. But if I can get a clone of the KDC
> disk then I've got *everything*, not just able to impersonate but as I
> stated before also able to read most communications that have already
> occurred.
This, however, is correct. You need the whole KDC, not just a dump of
the database. If you have that, the whole thing, then yes, you can do
anything and the only remediation is to start over from a clean slate.
Which is why anyone operating a KDC should have good physical and
logical security around it.
> Sure it does, it's called a "CRL".. And OCSP.. But yes, it's
> definitely more work to remove bad actors from the trusted root CA list.
Not really. CRLs are blacklists. Use of CRLs assumes that all
certificates are good unless some party says otherwise. They do not
identify compromised certificates; they only identify certificates that
someone says has been compromised. OCSP addresses some of the
limitations of revocation lists but since clients silently ignore timed
out queries it fails to stop MITM attacks.
--
Rich P.
More information about the Discuss
mailing list