On Tue, Jul 13, 2004 at 01:02:14AM +0200, Jonas Smedegaard wrote:
Hm, that's too bad. Kerberos support isn't useful to me unless it does integrity, since otherwise you need SSL, and I'm trying to avoid using SSL.
Why? Is SSL bad in some way?
At the very least, it adds complexity, and an overhead in the public-key cryptography.
Kerberos already provides mutual authentication and, as a side effect of the authentication, a session key. If you're going to use SSL as well, the SSL session key needs to be negotiated separately. RFC 2712 (Addition of Kerberos Cipher Suites to Transport Layer Security) attemtps to address these issues, but I'm not sure how widely this is implemented.
-- Ray Miller, Unix Systems Programmer & Team Leader Systems Development & Support, Computing Services, University of Oxford