[5636] in Kerberos
Re: SSL as Kerb replacement?
daemon@ATHENA.MIT.EDU (Derek Atkins)
Tue Aug 8 23:58:12 1995
Date: Tue, 8 Aug 1995 20:23:20 -0700
From: Derek Atkins <warlord@ihtfp.org>
To: bkelley@cup.hp.com (Bob Kelley)
Cc: kerberos@MIT.EDU
In-Reply-To: "[5635] in Kerberos"
> Have any of you thought about using SSL-ized applications
> (telnet, ftp, etc) instead of kerberized applications? I
> got the SSLeay library and ftp/telnet/httpd and was quite
> impressed by them vs kerberized apps. No KDC required!
The problem with using SSL is that there is no authentication. Yes,
you can easily encrypt the connection, but you still do not get any
kind of user<->server authentication. There is no way for the server
to know who you are, save for you typing your password, which defeats
the idea of single signon.
Kerberos gives you a means to signon once, obtain kerberos tickets,
and then log into as many hosts as you want without requiring you to
re-authenticate. SSL does not, and can not, provide this
functionality.
SSL has its uses, but so does Kerberos.
-derek
