On 8/29/2014 7:12 AM, Derek Atkins wrote: > So let me rephrase, because you're right a "dump" of the kdc database is > still encrypted in the master key. But if I can get a clone of the KDC > disk then I've got *everything*, not just able to impersonate but as I > stated before also able to read most communications that have already > occurred.
This, however, is correct. You need the whole KDC, not just a dump of the database. If you have that, the whole thing, then yes, you can do anything and the only remediation is to start over from a clean slate. Which is why anyone operating a KDC should have good physical and logical security around it. > Sure it does, it's called a "CRL".. And OCSP.. But yes, it's > definitely more work to remove bad actors from the trusted root CA list. Not really. CRLs are blacklists. Use of CRLs assumes that all certificates are good unless some party says otherwise. They do not identify compromised certificates; they only identify certificates that someone says has been compromised. OCSP addresses some of the limitations of revocation lists but since clients silently ignore timed out queries it fails to stop MITM attacks. -- Rich P. _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss