[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: alternative to user-to-user Kerberos in KINK

To: "Medvinsky, Sasha (SD-EX)" <SMedvinsky@xxxxxx>
Subject: Re: alternative to user-to-user Kerberos in KINK
From: Ken Hornstein <kenh@xxxxxxxxxxxxxxxx>
Date: Mon, 13 Nov 2000 11:27:59 -0500
Cc: "'ietf-kink@xxxxxxxx'" <ietf-kink@xxxxxxxx>
In-reply-to: Your message of "Fri, 10 Nov 2000 15:50:40 EST." <>
List-archive: <http://www.vpnc.org/ietf-kink/mail-archive/>
List-id: <ietf-kink.vpnc.org>
List-unsubscribe: <mailto:ietf-kink-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-kink@xxxxxxxxxxxxx

>This includes both AS_REQ and TGS_REQ.  In my proposal, a Kerberized server
>would not have to generate either.  The key management protocol between the
>IPSec peers is not Kerberos anyway - it just utilizes Kerberos objects for
>authentication.

I understand that, but one of your justifications is that it's easier
to develop a KDC that doesn't have to implement U2U tickets.  My point
is:

a) I'm not convinced it's significantly easier
b) Such a KDC couldn't claim to implement the Kerberos protocol

So I don't think this is a very good argument.

--Ken

References:
- RE: alternative to user-to-user Kerberos in KINK
  - From: Medvinsky, Sasha (SD-EX)

Prev by Date: RE: alternative to user-to-user Kerberos in KINK
Next by Date: RE: alternative to user-to-user Kerberos in KINK
Previous by thread: RE: alternative to user-to-user Kerberos in KINK
Next by thread: RE: alternative to user-to-user Kerberos in KINK
Index(es):
- Date
- Thread