Strength in Complexity?
Perry E. Metzger
perry at piermont.com
Mon Aug 4 14:10:05 EDT 2008
Arshad Noor <arshad.noor at strongauth.com> writes:
> That said, Kerberos clearly has the benefit of 20+ years of research
> and use in the field. However, there are two fundamental differences
> between SKSML and Kerberos, IMHO:
>
> 1) The design goals for Kerberos were very different from SKSML. The
> former solves the problem of network-authentication in the face of
> insecure hosts/networks, while the latter focuses on long-term key
> management.
Well, kerberos does both, really. It also has the advantage that it
is fully specified and integrates with GSSAPI.
> That they both use very similiar concepts & components
> to deliver quite different benefits to applications is testament to
> the strength and flexibility of the underlying components rather
> than to a weakness of SKSML.
>
> 2) AFAIK, Kerberos clients cannot deliver their stated benefit (network
> authentication) in the absence of the network or the Kerberos server.
It is generally hard to deliver network authentication without a
network. That said, kerberos tickets can persist even in the face of
disconnects, so once you've connected tickets can survive as long as
you wish.
> SKSML is designed to allow disconnected EKMI clients to continue
> providing cryptographic services to applications even in the absence
> of the network or the key-management server. However, it does
> require that the Symmetric Key Client Library (SKCL) have connected
> to the Symmetric Key Services (SKS) server at least once before it
> can use this capability.
That's no different from Kerberos, and kerberos works quite well
already.
Perry
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list