>>>>> "Ben" == Ben Nagy <[EMAIL PROTECTED]> writes:
Ben> 1. That a "kerberized" session is somehow much more secure than a
Ben> non-kerberized one. Kerberos allows for endpoint/service/user
Ben> authentication. However, Kerberos is still reliant on users picking strong
Ben> passwords.
Ben> Kerberos does NOT offer any session level encryption or any other security
Ben> mechanism - it's an _authentication_ protocol. Go read the spec - I refer
Ben> you to RFC 1510 for the nitty-gritty, although there are probabaly much more
Ben> digestable descriptions. Maybe you're confusing Kerberos with something
Ben> else?
Kerberos, as implemented today, _does_ offer session level
encryption. Please examine the sample kerberized clients and servers that
ship with the MIT distribution.
Now, one can argue semantics about whether or not that session level
encryption is properly referred to as "kerberos" or not, but it definitely
does exist.
On the other hand, the individual in question was _not_ going to use
kerberos' ticket/encryption mechanisms, just use it as a centralized
authentication system. So your complaint is justified, although I disagree
with the text of your explanation.
--
Carson Gaspar -- [EMAIL PROTECTED]
Queen Trapped in a Butch Body
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
