All
A few weeks ago, we received a briefing from CyberSafe about their
TrustBroker (TM) Security Suite. This appears to be a commercialization
of the PK enabled Kerberos that MIT has implemented. If you are
interested in this concept, you might look at that product. It is
advertised on their web site http://www.cybersafe.com/ . I believe that
their deployments have given them a variety of experiences with client
authentication with the number of certs ranging into the thousands range
and with geographical diversity. They can undoubtedly give you more
details.
This is a private communication. The company I work for has nothing
(that I know of) to do with this product, other than hosting the talk
referred to above. Please contact the company if you are interested in
details beyond those available on the web site.
Ed Donahue
> -----Original Message-----
> From: Marc Horowitz [SMTP:[EMAIL PROTECTED]]
> Sent: Sunday, August 22, 1999 1:24 AM
> To: RL 'Bob' Morgan
> Cc: [EMAIL PROTECTED]; Peter Gutmann
> Subject: Re: going around the crypto
>
> "RL 'Bob' Morgan" <[EMAIL PROTECTED]> writes:
>
> >> It is my understanding that MIT has a number of widely-used web
> >> applications (eg student registration) that have been using only
> client
> >> certs for authentication for a couple of years with reasonable
> success.
> >> You might say that this makes your point (these are MIT people,
> after all,
> >> hence closed, vetted, clueful, etc), but it is reasonably
> large-scale
> >> (~20K users or so, I think). The point, perhaps, is that this PKI
> >> deployment duplicates, more or less, for the web the functionality
> that
> >> Kerberos provided ten years ago for its suite of applications
> (telnet
> >> etc). So it's comforting to know that a PKI can do that much.
> *8^)*
>
> One might argue if the PKI is really doing this much. MIT's system
> uses Kerberos to bootstrap. Users authenticate via kerberos to a
> service which then signs your public key and sends back the
> certificate. This has the nice property of end-running many of the
> problems which surround PKI infrastructures. If a user needs to use a
> cert from more than one machine or environment, or they forget their
> browser password (which encrypts the private key), or they lose the
> cert, they can just get another one from the cert server. Since
> getting a new one is relatively easy, certs expire after a year.
> Notably, this system does not address revocation.
>
> Also, last I checked, MIT's system also required Netscape, since IE
> just couldn't be made to work. The client software has a long way to
> go.
>
> Marc
>
> P.S. No, I don't know if the code is available, or from where.
