>> Unfortunately, ANOTHER one of the "fun" rules I live under is, "Thou >> shall have no other PKI than the DoD PKI". And as much as I can >> legitimately argue for many of the unusual things that I do, I can't get >> away with that one; [...] > >A CA that issues short-lived certificates (for keys that might be >software keys) is morally equivalent to a Kerberos KDC. You ought to be >able to deploy such online CAs that issue only short-lived certs.
You know that. I know that. But remember: "if you're explaining, you're losing". When asked I can honestly say, "Kerberos is not a PKI" and that's good enough, but I can't say with a straight face, "This X.509 CA over here is not a PKI". >Presumably OpenSSH CAs are a different story because they're not x.509? :) Strangely enough, I am not aware of anyone in the DoD that uses OpenSSH CAs (there probably are, I just don't know them). I could see it being argued both ways. The people I know who use OpenSSH are (a) using gssapi-with-mic like us, (b) just using passwords, or (c) using their client smartcart key as a key for RSA authentication and they call that "DOD PKI authentication". Again, you know and I know that isn't really using PKI certificates, but the people up the chain aren't really smart enough to understand the distinction; they see that you're using the smartcard and that's good enough for them. >> We _do_ do PKINIT with the DoD PKI today; that is relatively >> straightforward with the exception of dealing with certificate >> revocation (last time I checked the total size of the DOD CRL package >> was approximately 8 million serial numbers, sigh). > >Don't you have OCSP responders? We _do_, it's just a pain to find an OCSP responder that can handle that many. If the official ones go offline that breaks our KDC so we run our own locally. >One of the problems I'm finding is that SSHv2 client implementations are >proliferating, and IDEs nowadays tend to come with one, and not one of >them supports GSS-KEYEX, though most of them support gssapi-with-mic, so >it makes you want to give up on GSS-KEYEX. Right, part of the problem there is that people want to "use Kerberos with ssh", and they don't understand the difference between gssapi-with-mic and gss-keyex. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos