BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Why the dislike of X.509?
- Subject: [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Wed, 27 Aug 2014 14:13:31 -0400
- In-reply-to: <sjmmwarchcd.fsf@securerf.ihtfp.org>
- References: <53F9F6B9.4060505@stephenadler.com> <20140824161132.GE14848@randomstring.org> <be314521ab6bebb6add54d706b042f01.squirrel@mail.mohawksoft.com> <53FA1C3B.70908@gmail.com> <53FB19E5.4080602@aeminium.org> <53FB4A5D.2030305@gmail.com> <CA+h9Qs5GnC6d1ejBQC=crtHwxoDiFWo4Kn+xjt0eiA8Kr733_A@mail.gmail.com> <53FB70E6.50706@gmail.com> <sjmmwarchcd.fsf@securerf.ihtfp.org>
As an aside: On 8/26/2014 1:04 PM, Derek Atkins wrote: > You (or someone) also brought up Kerberos. Kerberos *IS* a key escrow > system. If an attacker breaks into your KDC they literally have all the > keys to your kingdom. Not only can they impersonate anyone, they can go I operate a Kerberos realm. I am not able to tell my users their passwords. I don't have them. Kerberos stores one-way hashes of users' passwords. I could brute force the database with sufficient time but that is steps removed from having the actual keys in my hands. A bad actor can do quite a bit with a compromised KDC but these things are well known. Steps to prevent compromise are well documented as are steps to identify compromised KDCs and mitigate the damage that they can do. -- Rich P.
- Follow-Ups:
- [Discuss] Why the dislike of X.509?
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] Why the dislike of X.509?
- References:
- [Discuss] vnc
- From: adler at stephenadler.com (Stephen Adler)
- [Discuss] vnc
- From: dsr at randomstring.org (Dan Ritter)
- [Discuss] vnc
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] vnc
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] vnc
- From: nuno at aeminium.org (Nuno Sucena Almeida)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: jabr at blu.org (John Abreau)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] vnc
- Prev by Date: [Discuss] Wireless devices, 2 Wireless Routers, local network. DD-WRT
- Next by Date: [Discuss] Wireless devices, 2 Wireless Routers, local network. DD-WRT
- Previous by thread: [Discuss] Why the dislike of X.509?
- Next by thread: [Discuss] Why the dislike of X.509?
- Index(es):
