Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Why the dislike of X.509?

On 8/29/2014 7:12 AM, Derek Atkins wrote:
> So let me rephrase, because you're right a "dump" of the kdc database is
> still encrypted in the master key.  But if I can get a clone of the KDC
> disk then I've got *everything*, not just able to impersonate but as I
> stated before also able to read most communications that have already
> occurred.

This, however, is correct. You need the whole KDC, not just a dump of
the database. If you have that, the whole thing, then yes, you can do
anything and the only remediation is to start over from a clean slate.

Which is why anyone operating a KDC should have good physical and
logical security around it.

> Sure it does, it's called a "CRL"..  And OCSP..  But yes, it's
> definitely more work to remove bad actors from the trusted root CA list.

Not really. CRLs are blacklists. Use of CRLs assumes that all
certificates are good unless some party says otherwise. They do not
identify compromised certificates; they only identify certificates that
someone says has been compromised. OCSP addresses some of the
limitations of revocation lists but since clients silently ignore timed
out queries it fails to stop MITM attacks.

Rich P.

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /