[Kdc-info] prelim draft of kdc information model
Ken Raeburn
raeburn at MIT.EDU
Thu Jul 31 08:52:30 EDT 2003
> Again, what benefit do you get from separating these options?
You get the option of having communication between the KDC and
application server always well-protected with a strong enctype, while
the client can choose to use a weaker session key type (e.g., if
that's all it supports).
Granted, you can also do this by only using one of the keys as the
service key, but then aren't you really just using the list of keys to
implement a list of enctypes? That also implies a requirement for the
ability to indicate which one (or more?) of the multiple stored keys
may be used as the service key.
Ken
More information about the kdc-info
mailing list