<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Kerberos on Control Plane by Karl McGuinness</title><link>https://notes.karlmcguinness.com/tags/kerberos/</link><description>Recent content in Kerberos on Control Plane by Karl McGuinness</description><generator>Hugo</generator><language>en-us</language><managingEditor>public@karlmcguinness.com (Karl McGuinness)</managingEditor><webMaster>public@karlmcguinness.com (Karl McGuinness)</webMaster><lastBuildDate>Wed, 08 Jul 2026 10:00:00 -0700</lastBuildDate><atom:link href="https://notes.karlmcguinness.com/tags/kerberos/index.xml" rel="self" type="application/rss+xml"/><item><title>Kerberos Won Because Nobody Had to Implement It</title><link>https://notes.karlmcguinness.com/notes/kerberos-won-because-nobody-had-to-implement-it/</link><pubDate>Wed, 08 Jul 2026 10:00:00 -0700</pubDate><author>public@karlmcguinness.com (Karl McGuinness)</author><guid>https://notes.karlmcguinness.com/notes/kerberos-won-because-nobody-had-to-implement-it/</guid><description>The question worth asking about AAuth is not whether the protocol is good. Kerberos won because of everything around the protocol: SSPI and GSS-API hid the mechanism from application developers, the LSA owned keys and ticket lifecycle, machine accounts existed as a side effect of domain join, Active Directory shipped the KDC by default, and SPNEGO made rollout incremental. Mapping that stack onto agents shows where the work is: the MCP client is the most SSPI-shaped thing shipping, SPIFFE and vendor brokers are competing for the custody layer, HTTP authentication challenges are a useful but weaker SPNEGO analog, and nobody ships the authority by default. AAuth has specified the wire and named the platform split. The layers that made Kerberos invisible are still unclaimed.</description></item></channel></rss>