Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Why the dislike of X.509?

As an aside:

On 8/26/2014 1:04 PM, Derek Atkins wrote:
> You (or someone) also brought up Kerberos.  Kerberos *IS* a key escrow
> system.  If an attacker breaks into your KDC they literally have all the
> keys to your kingdom.  Not only can they impersonate anyone, they can go

I operate a Kerberos realm. I am not able to tell my users their
passwords. I don't have them. Kerberos stores one-way hashes of users'
passwords. I could brute force the database with sufficient time but
that is steps removed from having the actual keys in my hands.

A bad actor can do quite a bit with a compromised KDC but these things
are well known. Steps to prevent compromise are well documented as are
steps to identify compromised KDCs and mitigate the damage that they can do.

Rich P.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /