Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!cis.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!princeton!njin!uupsi!cambridge.oracorp.com!li
From: li@cambridge.oracorp.com (Li Gong)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Authentication & Internet Protocol Suite
Message-ID: <1991Jun21.230212.3642@cambridge.oracorp.com>
Date: 21 Jun 91 23:02:12 GMT
References: <1991Jun18.211641.4075@beaver.cs.washington.edu>
Organization: ORA Corp, 675 Mass Ave, Cambridge, MA 02139
Lines: 24

In article <1991Jun18.211641.4075@beaver.cs.washington.edu> bcn@cs.washington.edu (Clifford Neuman) writes:
>The trusted system need only hold the keys for local clients and
>servers (called a realm).  If the server is compromised, this isolates
>the damage to the principals registered in that realm.
> ...
>In version 5, realms can be organized hierarchically.  Thus, you can
>often get by maintaining entries for only immediate ancestors and
>descendants in the tree.

When a user from a good realm trying to talk to a service in a broken
realm, what happens ?  Does the compromised KDC get to know the
secrets of the remote users ?  Other damages ?  If so, isn't it the
case that damages are *not* confined to the local (broken) realm ?

>be very long lived.  This presents a problem for revocation.

Very much agreed.  The public-key systems give a false impression that
they can save because of the reduced number of interactions with the
servers.  But this also reduces the chance for revocation.
-- 
Li GONG, PhD              | Email:  li@cambridge.oracorp.com
ORA Corporation           | Tel  :  (617) 354-8230
675 Massachusetts Avenue  | Fax  :  (617) 354-6593
Cambridge, MA 02139       | (li@oracorp.com, li@oravax.UUCP)