Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!purdue!decwrl!shelby!TIS.COM!galvin From: galvin@TIS.COM (James M Galvin) Newsgroups: comp.protocols.kerberos Subject: Re: Kerberos, standards, servers, PKE, etc... Message-ID: <28785.630171696@tis.com> Date: 20 Dec 89 15:41:36 GMT References: Sender: daemon@shelby.Stanford.EDU Reply-To: James M Galvin Organization: The Internet Lines: 41 2) Public keys and "signatures". The use of signatures depends even more than communication and printed directories on the long term integrity of the keys. Any "signature" is valid, only as long as the key has not been compromised. You need to be careful to separate technical issues from business/application issues. In particular, if you extend the paradigm stated in The OSI Directory, "authentication is only valid at the time it occurs", then a signature is only valid at the time it is signed. Your concern about non-repudiation is real, and your solution is typical, but it is not a technical problem in as much as digital signatures are not exactly the same as written signatures. 5) RSA is patented in the USA (except for the Government and MIT?). In any case, the adoption of anything as an international standard normally requires that it not be proprietary. Recently I have witnessed a heated argument between a representative of RSA Inc and the co-chairman of an IEEE committee on this very point (i.e. if THEY can't agree, I think this list would only be wasting its time discussing this point - just lets note it). Please note, RSA has not been adopted as an international standard. The Annex comprising its specification is not an integral part of the standard. I understand this is a minor point, practically speaking, but an important one nonetheless. Further, the Directory Services SIG of the OSI Implementor's Workshop has identified an alternative digital signature algorithm and has created agreements explaining how to use it, for just the reasons you cite. Thus, they are not mandating any particular algorithm and they are going to great pains to be sure there is an option, given the constraints to non-government, US organizations. Jim