Re: are md5sums mandatory for all packages?
This is starting to lose policy relevance (if someone doesn't
volunteer to do out-of-us kerberos, it won't *be* an option, even if
someone does volunteer to setup a us-only site [or manage a directory
on the mpj site -- as long as I don't have to do anything more than
"dupload" I don't care which, as long as it stays legal] we won't have
an option for the rest if the world...)
> Are you sure they are equivalent? I use kerberos based
In level of security provided - they're close enough to equivalent
(kerberos has some wins, ssh has others.) In *how* they're provided,
sure that's completely different. (ssh wins on convenience; you can
get both by building ssh with krb5 support :-)
> I do not need to be entered into any central database to ssh
> to my ISP, master.debian.org, or anything (I just need initial access
> by other means to set up initial key mechanisms, and I can use ssh.
That "initial access" is "equivalent" to the database entry -- both
are "the point at which the secret that everything else depends on can
be attacked." There are tradeoffs going both ways. ssh takes little
effort to setup; kerberos, however, scales well in comparison (public
key operations are *slowwww* when you start having lots of people
doing them. A p166 with cheap disks can handle 30 initial-ticket
requests per second [randomly chosen users from a database of 1e6
users] without problem; ssh can't come close to that, but on the other
hand the operations go to the servers themselves, not to a central
one; on the other other hand, you can set up slave kdcs
trivially... it goes on and on.)
Reply to: