On Saturday, October 10, 2015, Edward Ned Harvey (lopser) < [email protected]> wrote:
> They should be able to authenticate without exposing their password. BTW, > this characteristic would be nice to add to Kerberos and OAuth, but that's > not something I'm immediately looking into. > > You might want to look into it actually, since at least for Kerberos it already exists and is widely used. RFC4556 describes pkinit, a mechanism for using public key cryptography to perform the initial key exchange. Microsoft even has their own extensions to pkinit, (of course) in MS-PKCA. My understanding is that pkinit development was heavily driven by the cable industry and is used by set top boxes via CableCards, but can be used in any scenario with smart cards. One of the tenants of the pkinit rfc is that it makes the Kerberos initial key exchange better, not because the key/password isn't exposed to the KDC, but because the key isn't generated from a password. Any mechanism for generating a key from a human typed password is only as secure as as the password, and 20+ years of evidence shows humans (in aggregate) are horrible at generating secure passwords. Can you explain how/if cbcrypt solves that problem? -David -- Sent from Gmail Mobile
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
