[7] in WWW Security List Archive
[Lei_Tang@gs59.sp.cs.cmu.edu: Re: Kerberos authentication for X-Mosaic 2.4 and NCSA HTTPD]
daemon@ATHENA.MIT.EDU (yandros@MIT.EDU)
Fri Aug 12 14:44:17 1994
From: yandros@MIT.EDU
Date: Fri, 12 Aug 1994 14:44:13 +0500
To: www-security.discuss@charon.LOCAL
From: Lei_Tang@gs59.sp.cs.cmu.edu
To: Doug Rosenthal <rosenthl@mcc.com>
Cc: www-security@ns1.rutgers.edu
Subject: Re: Kerberos authentication for X-Mosaic 2.4 and NCSA HTTPD
In-Reply-To: Your message of "Fri, 12 Aug 94 10:21:19 CDT."
<9408121521.AA17462@krypton.mcc.com>
Date: Fri, 12 Aug 94 11:55:59 -0400
>>Also, "(it is impossible to assign a public key to every user on the
>>internet practically)"; I think having an on-line certificate service
>>will help here.
If the server and the client are in the same realm(kerberos name),
it is OK since the TGS knows the secret key of the server. But if the
client and the server are not in the same realm(that is the most often
case in Internet), the server must share some secret with TGS to
gurantee privacy and integrity.
Personally, I do not think the on-line service is good because the
on-line certifcate server is a bottleneck and hence affect the scalability of
the system since the system is indended for Internet community.
Also on-line certificate increasing the cost of charging.
(for example, credit card company uses on-line certificate server.
guess what is the cost for using VISA card: $3/per transaction, this number
was from some guy working for VISA, while the cost for check transaction
is 50-60 cents /per transaction.) But the main problem is scalability.
Also you have to think about fault tolerance, what happens if the
on-line service crash? ......
--ltang
