[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: alternative to user-to-user Kerberos in KINK

To: "'sommerfeld@xxxxxxxxxxxx'" <sommerfeld@xxxxxxxxxxxx>
Subject: RE: alternative to user-to-user Kerberos in KINK
From: "Medvinsky, Sasha (SD-EX)" <SMedvinsky@xxxxxx>
Date: Mon, 20 Nov 2000 14:12:24 -0500
Cc: "'Derek Atkins'" <warlord@xxxxxxx>, "'Michael Thomas'" <mat@xxxxxxxxx>, "'ietf-kink@xxxxxxxx'" <ietf-kink@xxxxxxxx>
List-archive: <http://www.vpnc.org/ietf-kink/mail-archive/>
List-id: <ietf-kink.vpnc.org>
List-unsubscribe: <mailto:ietf-kink-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-kink@xxxxxxxxxxxxx

All I was saying is that although you can do peer-to-peer authentication
with Kerberos, you shouldn't require it for an architecture where you don't
have a peer-to-peer relationship.

Sasha.


> -----Original Message-----
> From: Bill Sommerfeld [mailto:sommerfeld@xxxxxxxxxxxx]
> Sent: Monday, November 20, 2000 11:06 AM
> To: Medvinsky, Sasha (SD-EX)
> Cc: 'Derek Atkins'; 'Michael Thomas'; 'ietf-kink@xxxxxxxx'
> Subject: Re: alternative to user-to-user Kerberos in KINK
> 
> 
> > KINK is a peer-to-peer protocol, 
> 
> yes
> 
> > but Kerberos is not.  
> 
> kerberos is a 3-party protocol involving a KDC and two principals.
> 
> All principals in possession of their long term key can trivially do
> peer-to-peer authentication.  the user-to-user extension in kerberos
> v5 also lets "clients" which only have a TGT do peer-to-peer
> authentication without posession of the long-term key.
> 
> 					- Bill
>

Follow-Ups:
- RE: alternative to user-to-user Kerberos in KINK
  - From: Michael Thomas

Prev by Date: Re: alternative to user-to-user Kerberos in KINK
Next by Date: Re: alternative to user-to-user Kerberos in KINK
Previous by thread: Re: alternative to user-to-user Kerberos in KINK
Next by thread: RE: alternative to user-to-user Kerberos in KINK
Index(es):
- Date
- Thread