On Jan 30, 11:05am, Peter Honeyman wrote: } Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?
Good afternoon to everyone, hope that your respective weekends are going well. Just a note before I head out with the Golden Retriever for an afternoon of x-country skiing in the new snow. I hope the following attributions are correct. Additional comments below. > > On Jan 29, 8:45am, "Douglas E. Engert" wrote: > > } Subject: Re: Kerberos vs. LDAP for authentication -- any opinions? > > > >> Many of the Browser issues can be addressed by Kx509 from the > >> Univrsity of Michigan. It can obtain a short term X509 certificate > >> using Kerberos for authenticaiton. The certificate and key are then > >> stored so the browser can use it with SSL to any web server. It works > >> with IE and Netscape on Windows. It runs on UNIX and Mac as well. > >> http://www.citi.umich.edu/projects/kerb_pki/ > > > > Didn't Whit Diffey file a patent which covered the concept of using > > short-term certificates as authentication brokers? > > > > If so does the Kx509 stuff have some sort of divine absolution with > > respect to it? > a search on the patent office shows only two patents with diffie listed > as an inventor: diffie-hellman, and "Method and apparatus for privacy > and authentication in wireless networks" which doesn't seem to apply. > > i have cc'ed greg wettstein for clarification. I just checked my archived e-mail and notes on this. My remembrance of this stuff was from when I was involved with an ill-fated startup centered around my IDfusion technology for, interestingly enough with respect to this thread, inherently secure directory based authorizations. The patent that I was remembering was not by Whit Diffey rather it was by a company (Arcot) who has Dr. Hellman on their Board of Directors. Guilt by association I guess.... :-) For anyone who is interested the relevant patent is #6,263,446 issued to Kausik et.al on July 17th, 2001. The patient is titled 'Method and apparatus for secure distribution of authentication credentials to roaming users.' I have snipped and pasted the abstract below: A roaming user needing an his authentication credential (e.g., private key) to access a computer server to perform an electronic transaction may obtain the authentication credential in an on-demand fashion from a credential server accessible to the user over a computer network. In this way, the user is free to roam on the network without having to physically carry his authentication credential. Access to the credential may be protected by one or more challenge-response protocols involving simple shared secrets, shared secrets with one-to-one hashing, or biometric methods such as fingerprint recognition. If camouflaging is used to protect the authentication credential, decamouflaging may be performed either at the credential server or at the user's computer. Before I get jumped on let me state clearly and for the record that I don't mean to suggest that Kx509 is infringing or the above is even relevant. After my experiences, believe me, I can write a book on why anyone who is even remotely interested in seeing open-source or open-protocol solutions succeed want nothing to do with this patent mess. It would take a boatload of attorneys to actually figure out whether the above is relevant with respect to Kx509. The cost of something like that is probably why the whole patent scene is as dangerous as it is. The notion of solving the portability problem of PKI by accessing a private key and/or certificate at demand time is a relevant problem. Thats why the above patent has always given me pause when I think about architectures such as Kx509. > peter Best wishes for a pleasant weekend to everyone. Greg As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: [EMAIL PROTECTED] ------------------------------------------------------------------------------ "Open source code is not guaranteed nor does it come with a warranty." -- the Alexis de Tocqueville Institute "I guess that's in contrast to proprietary software, which comes with a money-back guarantee, and free on-site repairs if any bugs are found." -- Rary ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
