Re: Intent to package kth kerberos (krb4 or heimdal, not sure which)

To: Jean Pierre LeJacq <jplejacq@quoininc.com>
Cc: debian-devel@va.debian.org
Subject: Re: Intent to package kth kerberos (krb4 or heimdal, not sure which)
From: Dan Stromberg <strombrg@hydra.acs.uci.edu>
Date: Fri, 13 Mar 1998 16:27:16 -0800
Message-id: <[🔎] 3509CEE4.432B@hydra.acs.uci.edu>
References: <[🔎] m0yDY4u-000b9GC@mail.quoininc.com>

Jean Pierre LeJacq wrote:
> 
> On Fri, 13 Mar 1998, Raul Miller wrote:
> 
> > IPsec provides authentication and encryption, but the issue is key
> > management. This isn't a minor issue: security derives from the security
> > of the key.
> >
> > Kerberos manages keys by providing a central point of control (for
> > multiple machines -- which must all be configured to respect that point
> > of control). IPsec is much more scalable but doesn't really address user
> > or application layer concepts.
> >
> > I've been presuming that Kerberos could be used to manage IPsec keys.
> > This might not be true, I'll have to go study for a bit.
> 
> I'm not sure about Kerberos, but Sun is pushing SKIP for key
> management with IPSec.

But Sun is also implementing ISAKMP/Oakley.  It isn't ready yet, the way
SKIP is, but I'm told it's in the works.

In short, Sun and a lot of other people Wanted SKIP to be the required
key management system used with IPv6, and the committee gridlocked over
SKIP vs ISAKMP/Oakley for a long time, but finally ISAKMP/Oakley was
chosen by fiat, I believe by the committee chair, rather than a vote or
consensus.

> > Finally, I think that an easy "plug in and configure" version of
> > Kerberos would require much of kerberos to go into the kernel, pam
> > support, and a bit of design work. But maybe that's not all that
> > relevant to this discussion. [Note that I expect we're going to have to
> > have some kind of support for Kerberos of some kind because it's being
> > built into some mass market products -- but maybe that work should be
> > left to the people that need to interoperate with those products?]
> 
> I agree in general.  A further complication is that there are a least
> two version (4 and 5) of Kerberos being used which I believe are
> incompatible.

The main versions are 4, 5 and DCE.  They don't interoperate amazingly
well, there are rumors that the Microsoft version won't interoperate
either, and the hole design is just kind of clunky.  Trust me, I did my
Master's Thesis with Kerberos (so if anything, I have a vested interest
in seeing kerberos flourish - but I still dislike it).  Hacking each and
every application to get security this way is nuts; it makes MUCH more
sense to put the security into the IP layer as much as possible.

--
E-mail the word "unsubscribe" to debian-devel-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble? E-mail to listmaster@lists.debian.org

Reply to:

References:
- Re: Intent to package kth kerberos (krb4 or heimdal, not sure which)
  - From: Jean Pierre LeJacq <jplejacq@quoininc.com>

Prev by Date: RE: Uploaded libjpeg 6a-11 (source i386) to master
Next by Date: Re: Intent to package kth kerberos (krb4 or heimdal, not sure which)
Previous by thread: Re: Intent to package kth kerberos (krb4 or heimdal, not sure which)
Next by thread: Re: Intent to package kth kerberos (krb4 or heimdal, not sure which)
Index(es):
- Date
- Thread