Globus/GSI versus Kerberos
lynn@garlic.com
lynn at garlic.com
Thu Jul 7 14:26:33 EDT 2005
Ken Hornstein wrote:
> When I cornered one of the Globus guys and asked him point-blank the
> same question, he told me that in his opinion the decision to do PKI
> was really driven politically from the top, and he thought Kerberos
> made a LOT more sense.
the original pk-init draft for kerberos specified certificateless
operation
http://www.garlic.com/~lynn/subpubkey.html#certless
you basically registered a public key with kerberos in lieu of a
password and then used digital signature authentication with the onfile
public key (no PKI and/or digital certificates required).
http://www.garlic.com/~lynn/subpubkey.html#kerberos
this was basically an authentication technology upgrade w/o having to
introduce any new business processes and extraneous infrastructure
operations.
it was later that certificate-based operation was added to the kerberos
pk-init draft.
i gave a talk on this at the global grid forum #11
http://www.garlic.com/~lynn/index.html#presentation
at the meeting there was some debate on kerberos vis-a-vis radius as
an authentication & authorization business process infrastructure.
note that in addition to their having been a non-PKI,
<b>certificate-less</b>
authentication upgrade for kerberos (using onfile public keys), there
has been a similar proposal for RADIUS; basically registering public
keys in lieu of passwords and performing digital signature
authentication with the onfile public keys.
http://www.garlic.com/~lynn/subpubkey.html#radius
Straight forward upgrade of the authentication technology w/o having
to layer on a separate cumbersome PKI business process.
More information about the Kerberos
mailing list