BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Why the dislike of X.509?
- Subject: [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- Date: Fri, 29 Aug 2014 10:42:01 -0400
- In-reply-to: <sjmha0vblcy.fsf@securerf.ihtfp.org>
- References: <53F9F6B9.4060505@stephenadler.com> <20140824161132.GE14848@randomstring.org> <be314521ab6bebb6add54d706b042f01.squirrel@mail.mohawksoft.com> <53FA1C3B.70908@gmail.com> <53FB19E5.4080602@aeminium.org> <53FB4A5D.2030305@gmail.com> <CA+h9Qs5GnC6d1ejBQC=crtHwxoDiFWo4Kn+xjt0eiA8Kr733_A@mail.gmail.com> <53FB70E6.50706@gmail.com> <sjmmwarchcd.fsf@securerf.ihtfp.org> <53FE1FCB.7010405@gmail.com> <sjmvbpcbji2.fsf@securerf.ihtfp.org> <53FF75C6.7@gmail.com> <sjmha0vblcy.fsf@securerf.ihtfp.org>
On 8/29/2014 7:12 AM, Derek Atkins wrote: > So let me rephrase, because you're right a "dump" of the kdc database is > still encrypted in the master key. But if I can get a clone of the KDC > disk then I've got *everything*, not just able to impersonate but as I > stated before also able to read most communications that have already > occurred. This, however, is correct. You need the whole KDC, not just a dump of the database. If you have that, the whole thing, then yes, you can do anything and the only remediation is to start over from a clean slate. Which is why anyone operating a KDC should have good physical and logical security around it. > Sure it does, it's called a "CRL".. And OCSP.. But yes, it's > definitely more work to remove bad actors from the trusted root CA list. Not really. CRLs are blacklists. Use of CRLs assumes that all certificates are good unless some party says otherwise. They do not identify compromised certificates; they only identify certificates that someone says has been compromised. OCSP addresses some of the limitations of revocation lists but since clients silently ignore timed out queries it fails to stop MITM attacks. -- Rich P.
- References:
- [Discuss] vnc
- From: adler at stephenadler.com (Stephen Adler)
- [Discuss] vnc
- From: dsr at randomstring.org (Dan Ritter)
- [Discuss] vnc
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] vnc
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] vnc
- From: nuno at aeminium.org (Nuno Sucena Almeida)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: jabr at blu.org (John Abreau)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: warlord at MIT.EDU (Derek Atkins)
- [Discuss] vnc
- Prev by Date: [Discuss] Wireless devices, 2 Wireless Routers, local network. DD-WRT
- Next by Date: [Discuss] Why the dislike of X.509?
- Previous by thread: [Discuss] Why the dislike of X.509?
- Next by thread: [Discuss] vnc
- Index(es):
