Strength in Complexity?

Perry E. Metzger perry at
Mon Aug 4 15:05:02 EDT 2008

Arshad Noor <arshad.noor at> writes:
> Perry E. Metzger wrote:
>> That said, kerberos tickets can persist even in the face of
>> disconnects, so once you've connected tickets can survive as long as
>> you wish.
> But, can the tickets be used for anything useful when the
> network does not exist?

If you have a locally service that uses them, sure. In any case, a
ticket gives you access to a crypto key, and you can use that for all
sorts of things.

> SKMS clients can continue to provide the capability they were
> designed for, even when the network is unavailable - it was a
> critical design goal.

Well, again, you can do the same thing with Kerberos, and Kerberos has
the added advantage that there is a complete spec that fully handles
all the details and is actually implemented and available off the
shelf -- even built in to Windows. SKMS is vaporware that leaves all
the hard parts of the specification out.

> If this comes back to Ben's original statement about it being
> just a key-escrow service, then so be it.  But lets not dismiss
> the value standardization and abstraction of this capability
> provides

I'm inclined to dismiss it, if only because you can do all of it with
existing, implemented and fully specified tools with no added
complexity. I actually have much larger reservations, but I think that
alone eliminates the reason to consider it.

> - after all people didn't really need DBMS's 30 years
> ago because they could do all the data-management operations
> inside each application quite well, thank you!

I think that comparing the advance SQL made with SKMS seems a bit

Perry E. Metzger		perry at

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list