On Wed, Mar 03, 2021 at 02:05:33PM -0500, Phillip Hallam-Baker wrote: > When I was writing my intro to crypto course, I covered Kerberos and then > moved on to PKI, I was astonished at just how close the Kohnfelder model > hews to Kerberos (maybe not so surprising, it was an MIT undergrad thesis). > > But here is the thing, nobody should ever be ashamed of 're-inventing' > systems of the past. If old techniques work, then use them. > > Since adding PKI to Kerberos wasn't exactly successful, one is going to I wouldn't say that PKINIT has failed. It works, and it is used. It's not used widely as intended (i.e., with smartcards) because what failed is smartcards. If you use PKINIT as a bridge, and you have online CAs, and online JWT issuers, and... you can have whatever kind of credential you want as a root credential. One might use KSATs or GSATs as root credentials, or Kerberos, or smartcards, or whatever. I've been building authentication bridges because it turns out that getting the whole world to support the one authentication system, or some minimal set of authentication systems, is impossible. (Aside: one design for PKCROSS is basically online CAs + PKINIT.) > have to add PKI to Kerberos or Kerberos to PKI and the complexity of either > is likely to be rather greater than designing something from scratch using > the experience of the past 40 years. I'd rather start from scratch when it comes to Kerberos. Too many mistakes were made in Kerberos V's design (listing them should require a separate thread). Also, Kerberos as a competitor to TLS failed, leaving it mostly only a role as a token system akin to JWT with symmetrically encrypted tokens (a mostly unused option of JWT's). GSS-API as a pluggable system has also failed except in so far as it could be an API for TLS (as GSS-API's Windows cousin, SSPI, is). Note that failure in this context doesn't mean "and we can obsolete and remove the failed thing". Even failed things tend to last forever :( The great thing about Needham-Schroeder is that it depends only on symmetric crypto, which is good news in a PQ world, and in a post-RSA world (if we're there). Even better is that combining PK and Needham- Schroeder is an optimization for slow PK, which is what you want in a PQ world. The bad thing about Needham-Schroeder is that setting up trusts is a very manual process and needs PK in order to automate it (or better, in order to not need to setup trusts at all). But again, that just leads one to want to combine Needham-Schroeder with PK. Nico --