[Cryptography] Transparent remote file access

Darren Moffat darren at nessieroo.com
Tue Nov 28 04:10:08 EST 2017


You say you don't trust your KDC admin but do you trust your DNS admin ?
What about the administrator of the naming service which is probably LDAP ?
Are you running LDAP over TLS ? How are you managing the certificate trust
anchors for LDAP so you know you are connecting to the correct servers?

I understand your concern with Kerberos but really it plus DNS and LDAP
(which is going to be present in almost all but the tiny deployments) all
need to be considered and probably need to be equivalently secured and
trusted. Which is why Microsoft having them all together in Active
Directory is often a good thing (see also IPA server)

Darren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171128/c922ded3/attachment.html>


More information about the cryptography mailing list