[krbdev.mit.edu #5821] REQ: in-registry keytab support
Sam Hartman via RT
rt at krbdev.mit.edu
Thu Oct 18 16:41:35 EDT 2007
Hi. I'm concerned about a mechanism that makes it this easy to reuse
keys. Your example of a cluster of web servers using HTTP/clustername
is OK; that's a case where you need to reuse keys.
However, many of the other examples are cases where reusing keys would
significantly harm security. The AFS case is particularly alarming.
Pushing out the same key for anonymous cell access would decrease
security by allowing anyone with this key to impersonate the cell.
I'm also concerned about whether group policy has the appropriate
confidentiality protection for this use. How is group policy pushed
to a machine? Is it encrypted in transit? Can a machine find out the
group policy of someone else?
--Sam
More information about the kfwdev
mailing list