Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Why the dislike of X.509?



On 8/25/2014 3:55 PM, markw at mohawksoft.com wrote:
> If your system is compromised, you can be pretty sure that the attackers
> will be able to erase their tracks. This is the nature of cracking. The
> only way to be sure is to monitor access via an external logging system.

Again with the gross misrepresentation. Kerberos isn't necessarily
centralized. It can be compartmentalized so that the entire organization
isn't vulnerable to a single KDC compromise. Additionally, Kerberos
itself has mechanisms to detect tampering. They can be worked around but
doing so is much more difficult than using a stolen root certificate to
cut and sign rogue node and site certificates.


> No security can withstand privileged access.

True, but with PKI and escrow a single attack can silently compromise
the entire domain in one go.

-- 
Rich P.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org