[16078] in cryptography@c2.net mail archive
Kerberos Design
daemon@ATHENA.MIT.EDU (Thomas Themel)
Wed Sep 1 15:52:59 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 1 Sep 2004 20:59:28 +0200
From: Thomas Themel <themel@iwoars.net>
To: cryptography@metzdowd.com
--/+tgNLOSOMGksNO1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
I'm currently looking into implementing a single sign-on solution for
distributed services.=20
The requirement profile seems to somewhat fit Kerberos, but I'm
not entirely convinced that I can use it in my scenario - which can't
simply run an off-the-shelf KDC and use UDP for communication with it.
However, years of reading various crypto resources have strongly
conditioned me against simple-minded attempts to "roll my own" as a
crypto dilletante.
I've been trying to study Kerberos' design history in the recent past
and have failed to come up with a good resource that explains why things
are built the way they are.=20
Since I'm already using OpenSSL for various SSL/x.509 related things,
I'm most astonished by the almost total absence of public key
cryptography in Kerberos, and I haven't been able to find out why this
design choice was made - performance reasons, given that at its
inception public key operation cost was probably much more prohibitive?
So, I'd like to ask the audience:
- Is there a good web/book/whatever resource regarding the design
of Kerberos? Amazon offers the O'Reilly book, which, from the=20
abstract, seems to take the cryptographic design of Kerberos as=20
a given and concentrates on its usage, and another one that also
doesn't seem to give much detail on the issue. Something in the
direction of EKR's SSL/TLS book would be very much appreciated.
- Is Kerberos a sane choice to adapt for such solutions today?
Is there anything more recent that I should be aware of?
thanks,
--=20
[*Thomas Themel*]=20
[extended contact] But let your communication be, Yea, yea; Nay, nay:=20
[info provided in] for whatsoever is more than these cometh of evil.
[*message header*] - Matthew 5:37
--/+tgNLOSOMGksNO1
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBNhwQOeNHa799ewARAvYfAJsFGw+aSF5vgZ9Ez0xxXR4ntIUPnQCgtvlb
CFEN7R4yiuoU+kyTmk4bTmo=
=6G92
-----END PGP SIGNATURE-----
--/+tgNLOSOMGksNO1--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
