[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: alternative to user-to-user Kerberos in KINK

Bill Sommerfeld writes:
 > > Agreed. I measure it in terms of added complexity WITHIN the same protocol. A
 > > new enrollment protocol may be somewhat complex, but this complexity is
 > > orthogonal to KINK, thus making KINK easier to analyze for security. Adding
 > > more exchanges for corner-cases certainly doesn't help people analyze it for
 > > weaknesses.
 > true.  i've suggested on numerous occasions that KINK should avoid
 > this problem by always using user-to-user.

   User-User pretty much forces the normal create
   SA case to be a  two round trip affair. One of
   the goals here is to reduce keying latency, and
   cutting out round trips is an obvious means to
   that goal.