Re: alternative to user-to-user Kerberos in KINK

[Jan Vilhuber <vilhuber@xxxxxxxxx>]

On Mon, 20 Nov 2000, Bill Sommerfeld wrote:

> > Agreed. I measure it in terms of added complexity WITHIN the same protocol. A
> > new enrollment protocol may be somewhat complex, but this complexity is
> > orthogonal to KINK, thus making KINK easier to analyze for security. Adding
> > more exchanges for corner-cases certainly doesn't help people analyze it for
> > weaknesses.
> 
> true.  i've suggested on numerous occasions that KINK should avoid
> this problem by always using user-to-user.
> 
I guess that's one way. The other is to never use u-u, and force everyone to
be a principal in the KDC. Not being 100% kerberos-expert, this appeals to me
more, especially in light of the fact that a pkinit-enrollment may be usefull
in other protocols/occasions (I'm guessing).

jan
 --
Jan Vilhuber                                            vilhuber@xxxxxxxxx
Cisco Systems, San Jose                                     (408) 527-0847