> From: Rens Troost <rens@imsi.com> > > Peter sez: > > Kerberos is well-designed AND secure? WRONG in detail, but BETTER THAN > > LOTS OF OTHER STUFF. P. > > I agree it's a bit clunky, but do you think any insecurities come from the > algorithm being public knowlege? Seems more like implementation goofs (e.g. > the recent telnet problem) > > [ I guess this discussion is pretty off topic, but its the only traffic this > list has seen in a while! ] > > -Rens > > I agree with your original statement, that if a system has been designed in a secure manner - truely secure manner - then it makes no difference on the level of detail published about the defenses used. This follows the same line of thought as cryptography code; in that cryptographic code that bases its security on the notion of the code itself being "secure" and private, is not secure at all, and that only the release of such code for public review and comment is the only way to make such code bullet proof. Of course, we begin yet another Tempest in a Teapot on this issue as well.... However, in regards to system security, this concept only works in theory, not in practice. The only way to PROVE that a system is truely secure is to begin the process of mathmatically proving it's security, and outside of the DOD environment I have yet to see anything that would fit into this category. "Success through teamwork" =============================================================================== Dale Drew MCI Telecommunications Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335