[Cryptography] Transparent remote file access

Phillip Hallam-Baker phill at hallambaker.com
Thu Nov 30 09:00:24 EST 2017


On Tue, Nov 28, 2017 at 4:10 AM, Darren Moffat <darren at nessieroo.com> wrote:

> You say you don't trust your KDC admin but do you trust your DNS admin ?
> What about the administrator of the naming service which is probably LDAP ?
> Are you running LDAP over TLS ? How are you managing the certificate trust
> anchors for LDAP so you know you are connecting to the correct servers?
>

​I have already removed the DNS admin from the trust nexus using Strong
Internet Names which are essentially PGP like fingerprints embedded in DNS
names.​

http://www.prismproof.org/Documents/draft-hallambaker-sin.html

​I would rather poke my eyes out with a stick than use LDAP.​



> I understand your concern with Kerberos but really it plus DNS and LDAP
> (which is going to be present in almost all but the tiny deployments) all
> need to be considered and probably need to be equivalently secured and
> trusted. Which is why Microsoft having them all together in Active
> Directory is often a good thing (see also IPA server)
>
>
​This is really not helpful. I am aware that there are many security
concerns. Right now, the security concern I am looking at is
​confidentiality risk from Mallet having god access to my enterprise file
system.

​If I had thought up a solution to a different problem then I would be
asking about that. Right now, I am focusing on the problem I have a
solution for and looking to see if someone else has solved it already.​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20171130/b529fdee/attachment.html>


More information about the cryptography mailing list