RE: Kerberos on the web

[Zafar Baig]

Title: Message

Resending my message to highly Mr. Christiansen in the "To" box as it was originally addressed to him. I had addressed it to everyone in my previous send. Anyway everyone, please feel free to comment.

 

Thanks and sorry for the repeat.

 

-------

 

Backgrounder: I am a technical engineering person who has worked on the MIT krb5 standard on various win32, unix and linux platforms for several years now. Most of these are through very large scale mission criticial security server deployments with OSF/opengroup DCE (fyi...DCE has been going hand-in-hand with krb5 for a really long time now). A 100% interoperability is a major concern for scalable systems otherwise it becomes a "my way or the highway" situation. I spend little time developing krb5 apps but I work pretty deep into the system level code.

 

I am looking forward to knowing the technical answers for the speculative or misleading statements (or "lies") from that article. I won't look at magazines or .Net's Passport (krb5) reviews for this analysis. Let us truely analyze the system without bias and see how cool it may or may not be.

 

First....What is the latest situation with Krb5 on win2k in terms of interoperability overhead (especially when considering the proprietary PAC stuff)? I know that MS has been pushing for it's "Federated" Kerberos through (project liberty) but what is the latest situation on licensing and open source? How many auth requests can a krb5 Win2k server take and what will be the % uptime? The media is only a tool to spread the word/hype around. I will look at the MS-krb5 code myself if I can get it. How/when can I get this?

 

Your answers to these question will pretty assert the big picture.

 

Z

-----Original Message-----
From: David Lawler Christiansen (NT) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 17, 2002 3:17 PM
To: Zafar Baig; hot ice; [EMAIL PROTECTED]
Subject: RE: Kerberos on the web

No offense, but this article is old news, speculative and misleading in places.  It has nothing to do with MS's use of Kerberos in Passport (which is what Ice is asking, I think), and only questions whether our Kerberos implementation will interoperate with any other implementation.  The simple question I must ask in this case is, "have you TRIED it?"

 

My experience is that everyone who insists that we don't interoperate is either speculating, mistaken, or outright lying.  We interop just fine, either as a client, a server, or as a KDC, in single and multiple-realm scenarios.  If you don't believe me, hunt down someone with Win2K and/or WinXP, or get on the beta program for .NET server.  Run your own tests and draw your own conclusions-- don't just believe the spin. 

 

Thanks!

-Dave

 

-----Original Message-----
From: Zafar Baig [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 17, 2002 11:27 AM
To: David Lawler Christiansen (NT); hot ice; [EMAIL PROTECTED]
Subject: RE: Kerberos on the web

http://www.infoworld.com/articles/en/xml/00/04/28/000428enkerpub.xml

Please read this article carefully to understand interoperability issues.

Excerpts from this article....

"....Microsoft's PAC locks users into its version of Kerberos."

-----Original Message-----
From: David Lawler Christiansen (NT)
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 17, 2002 1:47 PM
To: hot ice; [EMAIL PROTECTED]
Subject: RE: Kerberos on the web

Not trolling, but where exactly did you hear that we were doing it "all
our way", and what does that mean? 

Thanks!
-Dave

> -----Original Message-----
> From: hot ice [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 17, 2002 10:00 AM
> To: [EMAIL PROTECTED]
> Subject: Kerberos on the web
>
>
> Are there any commercially available kerberos-based
> authentication products for the web? I know Microsoft is
> doing something with Passport - but that's still all fuzzy
> and they are doing it in typical MS-fashion doing it all
> their way, or so I hear.
>
> Any suggestions or recommendations on products that offer
> website authentication - username/password, smartcard and a
> combination..?
>
> TIA
>