[Cryptography] secure authentication ... as opposed to passwords

[John Gilmore]

To what extent does Kerberos solve this problem?

As I recall from using it for various things over the last 30 years,
its UI is stupid; like PGP, it assumes that you want one identity to
authenticate you to everyplace you go, instead of making it easy to
use separate identities with separate vendors; it still hasn't learned
about the Domain Name System and instead has its own strange idea of
not-quite-domain "REALMS"; etc.  But does it do the basic thing --
authentication without sending plaintext passwords -- that you're
asking for?  It's already an Internet standard, and even widely used
on Microsoft platforms.  Could it be de-crufted for use in web
authentication?

Also, the last (Ubuntu) kerberos I tried to use seemed to still be
using a SHA1 HMAC, even though it is also using aes256
("aes256-cts-hmac-sha1-96")?  And it seemed to have some single-DES
keys lying around "for compatability with K4", along with an RC4-HMAC
and a 3DES key?  At first glance, that looks perfect for downgrade
attacks.

	John