On 1/8/19 6:22 PM, Russ Allbery wrote:
I wonder how hard it would be to add WebAuthn as a preauth mechanism for Kerberos as part of a FAST chain. HOTP/TOTP don't have the greatest security properties, even though most Kerberos use cases are inherently less vulnerable to phishing than the typical web authentication use.
I have no idea. It sounds interesting though.
Internet use is very common in the Kerberos community.
Does this include client <-> KDC?
It is somewhat vulnerable to weak user passwords, but I'd probably invest my effort in FAST via anonymous PKINIT to solve that problem instead of network tunnels.
Ya. I like bolstering Kerberos's security via FAST w/ PKINIT more than the tunnels. Tunnels just introduce another complexity ~> failure point. (Even IPSec Transport Mode.)
My cursory reading makes me think that FAST is what provides the security (by encrypting more things through the Fast and Secure Tunnel) using parameters derived via PKINIT.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
