[39609] in Kerberos
RE: ldap tls question
daemon@ATHENA.MIT.EDU (Brent Kimberley via Kerberos)
Thu Apr 16 14:36:16 2026
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>,
"kerberos@mit.edu"
<kerberos@mit.edu>
Date: Thu, 16 Apr 2026 18:34:59 +0000
Message-ID: <YQBPR0101MB8463FDEBE81AEAAB45559D72FA232@YQBPR0101MB8463.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <202604161827.63GIRXt0011266@hedwig.cmf.nrl.navy.mil>
Content-Language: en-US
MIME-Version: 1.0
From: Brent Kimberley via Kerberos <kerberos@mit.edu>
Reply-To: Brent Kimberley <Brent.Kimberley@Durham.ca>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
My point was that published estimates for classical key periods have dropped roughly 10,000 X in the last five to six years.
-----Original Message-----
From: Kerberos <kerberos-bounces@mit.edu> On Behalf Of Ken Hornstein via Kerberos
Sent: April 16, 2026 2:28 PM
To: kerberos@mit.edu
Subject: Re: ldap tls question
⚠️CAUTION: This email is from an external source. Verify sender before opening links and attachments.⚠️
>Using the "usual place" is questionable, as it includes the mass of
>Internet CAs. If you trust them to never issue certs for your LDAP
>server name, fine. I'm less sanguine about the security of random CAs
>(and there have been multiple past incidents of bogus certs being issued).
It's a fair point, but ... what we've found is that if you DON'T put your private PKI certificates into the OS store, then a whole LOT of stuff doesn't work (e.g, curl, your favorite package download tool, etc etc), especially if you are a large organization and use your private PKI for a lot of services (e.g., the Department of Defense). It just becomes untenable in practice.
I am aware of rogue certificates being issued, but the CAs that participate in most OS trusted root programs seem to have coalesced around a common set of requirements for issuance that seem hard to defeat without a serious compromise. At least with CT logs you can see if someone has issued a certificate for your site that you didn't authorize. It's not perfect but I am not sure what is when it comes to PKI.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
