[10286] in bugtraq
Re: Plain text passwords--necessary
daemon@ATHENA.MIT.EDU (Daniel Alex Finkelstein)
Tue Apr 20 14:10:54 1999
Date: Mon, 19 Apr 1999 18:23:14 -0400
Reply-To: dfinkels@SIAC.COM
From: Daniel Alex Finkelstein <dfinkels@SIAC.COM>
X-To: Trevor Schroeder <tschroed@ACM.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSO.4.10.9904191259560.1035@duckdog.zweknu.org>
And we could go even further: certificates. The DCE-PKI RFC 68.4 takes
Kerberos to a new level: certificate-granting-certificates. This RFC
specifies the extension of DCE (particularly the Kerberos part) to include
certificate capabilities. I'd provide the URL to the RFC, but it seems to
have vanished from all the usual sites...
On Mon, 19 Apr 1999, Trevor Schroeder wrote:
> It seems to me that a lot of this could be avoided using tickets similar to
> Kerberos. We have a trusted third party (TTP) that receives your
> credentials once and returns a ticket for a set of services with a given
> lifetime. This ticket is good only within a certain context (certain
> services, servers, clients, times, dates, you name it and it can be rolled
> into the ticket). That way if the ticket is compromised, it is of limited
> use (versus a full blown password with may be useful in other contexts.)
Daniel Alex Finkelstein
New Technologies
phone 212-383-2951
pager 917-427-1630
fax 212-383-3289
Securities Industry Automation Corporation
