Hey Mike, > But it would be even better if the client could (or had the option to) > do authentication with the service directly and thus eliminate the > numerous dependencies for clients (DNS, KDC access, stale tickets, > time sync...).
I doubt you could use Kerberos without these components involved. You might forego DNS if you configured your client (which is certainly not everyone's favourite solution). You need the KDC to obtain a short-lasting credential, which is pretty much a cornerstone of Kerberos security. The stale tickets and time sync come with that. Do note that time sync is not always essential on the client; the major concern for security is that the KDC and server are in time sync; clients merely need time to be able to pick the right ticket, but if they needed to (because they were embedded, say) they might happily assume whatever ticket timing the KDC passed them and use that to figure out how much longer a ticket would last. > I'm not sure if that is possible with HTTP being > stateless, but if is, it could be the basis for proper Internet > website security as well. It sounds to me like you are asking about preshared keys, which are accepted to be far less secure than the Kerberos road. -Rick ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos