[129764] in cryptography@c2.net mail archive
Re: Strength in Complexity?
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Mon Aug 4 17:46:25 2008
To: Arshad Noor <arshad.noor@strongauth.com>
Cc: Ben Laurie <ben@links.org>, Cryptography <cryptography@metzdowd.com>
From: "Perry E. Metzger" <perry@piermont.com>
Date: Mon, 04 Aug 2008 15:05:02 -0400
In-Reply-To: <48975084.6000209@strongauth.com> (Arshad Noor's message of "Mon\, 04 Aug 2008 11\:55\:00 -0700")
Arshad Noor <arshad.noor@strongauth.com> writes:
> Perry E. Metzger wrote:
>> That said, kerberos tickets can persist even in the face of
>> disconnects, so once you've connected tickets can survive as long as
>> you wish.
>
> But, can the tickets be used for anything useful when the
> network does not exist?
If you have a locally service that uses them, sure. In any case, a
ticket gives you access to a crypto key, and you can use that for all
sorts of things.
> SKMS clients can continue to provide the capability they were
> designed for, even when the network is unavailable - it was a
> critical design goal.
Well, again, you can do the same thing with Kerberos, and Kerberos has
the added advantage that there is a complete spec that fully handles
all the details and is actually implemented and available off the
shelf -- even built in to Windows. SKMS is vaporware that leaves all
the hard parts of the specification out.
> If this comes back to Ben's original statement about it being
> just a key-escrow service, then so be it. But lets not dismiss
> the value standardization and abstraction of this capability
> provides
I'm inclined to dismiss it, if only because you can do all of it with
existing, implemented and fully specified tools with no added
complexity. I actually have much larger reservations, but I think that
alone eliminates the reason to consider it.
> - after all people didn't really need DBMS's 30 years
> ago because they could do all the data-management operations
> inside each application quite well, thank you!
I think that comparing the advance SQL made with SKMS seems a bit
unreasonable.
Perry
--
Perry E. Metzger perry@piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
