NIST LOAs and Kerberos
Nico Williams
nico at cryptonector.com
Fri Mar 30 14:17:07 EDT 2012
Not only that, but also I think it's possible to interpret this spec
in ways that rule out Kerberos completely. For example, you can't
re-use temporary shared secrets, which could be interpreted as
requiring that no tickets be cached, or maybe it should be interpreted
as requiring new sub-session keys every time. And in higher LoAs you
have to protect even temporary shared secrets with a security module,
which means that you'd have to protect ccaches with security modules.
Also, long-term service keys would have to be protected by security
modules.
Nico
--
More information about the Kerberos
mailing list