# BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

# [Discuss] Why the dislike of X.509?

*Subject*: [Discuss] Why the dislike of X.509?*From*: richard.pieri at gmail.com (Richard Pieri)*Date*: Mon, 25 Aug 2014 16:37:14 -0400*In-reply-to*: <a7c1366d330261e2ee4906c8d08d0b94.squirrel@mail.mohawksoft.com>*References*: <53F9F6B9.4060505@stephenadler.com> <20140824161132.GE14848@randomstring.org> <be314521ab6bebb6add54d706b042f01.squirrel@mail.mohawksoft.com> <53FA1C3B.70908@gmail.com> <53FB19E5.4080602@aeminium.org> <53FB4A5D.2030305@gmail.com> <CA+h9Qs5GnC6d1ejBQC=crtHwxoDiFWo4Kn+xjt0eiA8Kr733_A@mail.gmail.com> <53FB70E6.50706@gmail.com> <CA+h9Qs5THPNEir7tLZNjzLWMpod=9UGWTSCeZS2nCwVY0Ox=-w@mail.gmail.com> <53FB7F0A.40105@gmail.com> <253113e101a6fc1b75e160dfbd3d0dbe.squirrel@mail.mohawksoft.com> <53FB9325.9010200@gmail.com> <a7c1366d330261e2ee4906c8d08d0b94.squirrel@mail.mohawksoft.com>

On 8/25/2014 3:55 PM, markw at mohawksoft.com wrote: > If your system is compromised, you can be pretty sure that the attackers > will be able to erase their tracks. This is the nature of cracking. The > only way to be sure is to monitor access via an external logging system. Again with the gross misrepresentation. Kerberos isn't necessarily centralized. It can be compartmentalized so that the entire organization isn't vulnerable to a single KDC compromise. Additionally, Kerberos itself has mechanisms to detect tampering. They can be worked around but doing so is much more difficult than using a stolen root certificate to cut and sign rogue node and site certificates. > No security can withstand privileged access. True, but with PKI and escrow a single attack can silently compromise the entire domain in one go. -- Rich P.

**Follow-Ups**:**[Discuss] Why the dislike of X.509?***From:*markw at mohawksoft.com (markw at mohawksoft.com)

**References**:**[Discuss] vnc***From:*adler at stephenadler.com (Stephen Adler)

**[Discuss] vnc***From:*dsr at randomstring.org (Dan Ritter)

**[Discuss] vnc***From:*markw at mohawksoft.com (markw at mohawksoft.com)

**[Discuss] vnc***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] vnc***From:*nuno at aeminium.org (Nuno Sucena Almeida)

**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] Why the dislike of X.509?***From:*jabr at blu.org (John Abreau)

**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] Why the dislike of X.509?***From:*jabr at blu.org (John Abreau)

**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] Why the dislike of X.509?***From:*markw at mohawksoft.com (markw at mohawksoft.com)

**[Discuss] Why the dislike of X.509?***From:*richard.pieri at gmail.com (Richard Pieri)

**[Discuss] Why the dislike of X.509?***From:*markw at mohawksoft.com (markw at mohawksoft.com)

- Prev by Date:
**[Discuss] Why the dislike of X.509?** - Next by Date:
**[Discuss] Why the dislike of X.509?** - Previous by thread:
**[Discuss] Why the dislike of X.509?** - Next by thread:
**[Discuss] Why the dislike of X.509?** - Index(es):