[leaving the disclaimers intact] :-)
> > Standard Disclaimer: Speaking for myself, not necessarily > my employer. > Ditto :) [...] > > I disagree with this point - by making it much more > cumbersome to administer and removing it from the Windows > Domain, the incentive to use anything other than MS as the > KDC is eliminated. Yes, of course, I'd be lying if I said we wouldn't prefer that people use our product over anyone else's. Businesses who promote their competitors' products usually don't do well in the marketplace, unfortunately. :-S As far as intent goes, we didn't design windows to be hard to use outside of an MS domain. Many/most of the features provided by Kerberos are for obvious reasons not available using even NT4 or 3.X environments, and making those domains harder to use was obviously not a design goal in Win2k or XP. To continue an example I already used, Group Policy is not available in Domains prior to Win2k. This certainly does not mean we would want to break compatibility with NT4. By this token, we are still compatible with NT4-- we just have new features that don't work with it. [...] > > Those changes can be made without group policy-- it's just not as > > easy. > > > "Its just not as easy" is the key point here. Ease of use is > a primary motivator in the marketplace. > I agree that it's *a* motivator, but I don't think it's always the primary one. Cost is another concern-- we recognize that not all organizations can afford to buy domain controllers. Sometimes, for example, an organization can afford labor much more easily than they can afford hardware. This feature enables those organizations to take advantage of Windows client services and maintain their existing authentication scheme. In many cases it's a good compromise, IMHO. I should point out that there's nothing to stop other organizations from implementing the features we use. Someone else could implement an authorization system that sits on top of Windows Kerberos and provides authorization data so that the lack of a PAC is not important, for example. Group policy, for example, could be implemented by a third party. [...] > You used Kerberos and extended into other parts of the OS, > thus making them at least partially relevant here. If one > can only access certain Kerberized features of your system by > using your own Kerberos implementation then you can't claim > interoperability with everyone. Defining interoperability in this way is very squishy-- you are asking more than what we are currently claiming AFAIK. This is a philosophical matter about which I doubt we have any middle ground. :-) > I suppose there is a semantic argument here about whether we > are talking about the Kerberos Protocol itself (RFC 1510) or > the suite of Kerberos software in the public domain (MIT KRB5 > for example). Yes, you are using the protocol correctly, no > argument there. This last sentence is all that I am asserting-- I'm glad to hear that I'm not the only person who thinks so :-) [...] > > But you arent allowing people to make this comparison on an > apples-to-apples basis. By removing domain features and > making it much more cumbersome to administer your own > systems, the scales are wieghted much more heavily in your > own favor. Its a smart business move on your part, but it > generates ill-will because the whole thing is based on an > open standard. I don't think we'll ever agree on the ethics of this, but I'll try a somewhat timely yet farfetched analogy: Say, the airlines decide to standardize the size, shape, and maximum weight of checked baggage. This is so that the bags can be packed into a tighter space and to ensure that their baggage handlers do not break their backs. The bags slide into a slot and if they don't fit, they just don't go on the plane. In response, I design a device that is exactly the size and shape of a suitcase. The device allows me to pack more stuff into the "suitcase" and still fit aboard the plane through some form of interdimensional magic. Now, say I design another device that fits aboard an aircraft that accepts standard suitcases and is able to take advantage of some mystical, as-yet-unrevealed property of the interdimensional devices if they are aboard it to make the airplane consume less fuel. If I were to sell such a pair of devices, I would not be obligated to release the design specifications to the world. Some people might claim that the devices are unsafe, but I'd let them view the specs if they accepted nondisclosure to protect me. Those people could study the specs and determine for themselves. Nobody would go around shouting that the special bags would not fit aboard "standard" aircraft. Similarly, nobody would cry falsely that the newly-enhanced aircraft could no longer accept the standard bags. If they were, there would be footage of me verifying that the bags and plane work in all four combinations and the issue would die. The scenario sounds preposterous, yet IMHO this is exactly what's happening with Microsoft Kerberos. > -Wyllys Thanks! -Dave
