[5641] in Kerberos
Re: SSL as Kerb replacement?
daemon@ATHENA.MIT.EDU (W. Donald Rolph III)
Wed Aug 9 13:47:07 1995
Date: Wed, 09 Aug 1995 13:27:32 -0400
To: orion@iastate.edu (Phi H Truong), kerberos@MIT.EDU
From: "W. Donald Rolph III" <w-rolph@ds.mc.ti.com>
At 02:56 PM 8/9/95 GMT, Phi H Truong wrote:
>In article <199508090323.UAA17585@ihtfp.org>,
>Derek Atkins <warlord@ihtfp.org> wrote:
>>The problem with using SSL is that there is no authentication. Yes,
>>you can easily encrypt the connection, but you still do not get any
>>kind of user<->server authentication. There is no way for the server
>>to know who you are, save for you typing your password, which defeats
>>the idea of single signon.
>>
>>Kerberos gives you a means to signon once, obtain kerberos tickets,
>>and then log into as many hosts as you want without requiring you to
>>re-authenticate. SSL does not, and can not, provide this
>>functionality.
>>
>>SSL has its uses, but so does Kerberos.
>>
>
>According to the authors of SSLeay, there will be kerberos authentication
>incoporate into SSL in the future.
>
>
Which means that SSL is not a replacement for Kerberos.
There are no easy fixes here, and no one is going to hand us a candy which
solves our distributed security problem. If we want distributed vendor
neutral security, we have to work for it. We are in the middle of early
Kerberos/Athena in M&C and the planning and checking we are going through to
make sure we dont bruise our shines is the worst I have ever gone through on
a system integration project.
Regards.
Don Rolph w-rolph@ds.mc.ti.com WD3 MS10-13 (508)-236-1263
