[5639] in Kerberos
Re: SSL as Kerb replacement?
daemon@ATHENA.MIT.EDU (Ed Phillips)
Wed Aug 9 10:08:52 1995
Date: Wed, 9 Aug 1995 10:00:03 -0400 (EDT)
From: Ed Phillips <flaregun@UDel.Edu>
To: kerberos@MIT.EDU
In-Reply-To: <199508090323.UAA17585@ihtfp.org>
On Tue, 8 Aug 1995, Derek Atkins wrote:
> > Have any of you thought about using SSL-ized applications
> > (telnet, ftp, etc) instead of kerberized applications? I
> > got the SSLeay library and ftp/telnet/httpd and was quite
> > impressed by them vs kerberized apps. No KDC required!
>
> The problem with using SSL is that there is no authentication. Yes,
> you can easily encrypt the connection, but you still do not get any
> kind of user<->server authentication. There is no way for the server
> to know who you are, save for you typing your password, which defeats
> the idea of single signon.
This is not completely true... the server is authenticated to the
client since the server must know the private key.
> Kerberos gives you a means to signon once, obtain kerberos tickets,
> and then log into as many hosts as you want without requiring you to
> re-authenticate. SSL does not, and can not, provide this
> functionality.
>
True. Kerberos has credentials that last for more than one
session (or connection). I guess many would argue that this is _not_ a
good thing.
> SSL has its uses, but so does Kerberos.
>
> -derek
>
+-------------------------------------------------------------------------+
| Ed Phillips <flaregun@udel.edu> University of Delaware (302) 831-6082 |
| Jr Systems Programmer, Network and Systems Services, Info. Technologies |
| Public key footprint: 1C D4 AC C2 A3 D5 97 AA DB 3B D8 85 88 E7 40 B8 |
| Finger flaregun@udel.edu for PGP public key |
+-------------------------------------------------------------------------+
