>I was curious if anyone has any comments (personal/political/technical) >or could point me to a decent resource comparing Globus versus >Kerberos. I've had to work with Globus quite a bit, and the overall >trend in the existing GSI-based research grids is to move towards >centrally managed cert/key repositories despite the pure GSI notion of >keeping everything distributed. There's a handful of new research >projects that basically take GSI and add that "centralized" portion, >although in my opinion it's starting to resemble a Kerberos >architecture.
Back in 1999 during a meeting about inter-operable authentication (it was actually _at_ SDSC, interestingly enough), Globus was just starting up (this was back when Legion was still considered a viable alternative instead of the PhD generator everyone considers it now). The Globus guys gave a presentation on their authentication infrastructure, and I pointed out that they had just reinvented a lot of Kerberos, and asked them, "How come you guys didn't just use Kerberos?". I was given what I can only politely say was a song and dance about Kerberos cross-realm being "too tightly bound to each other", and they preferred the "looseness" of certificate chaining, whatever that means. When I cornered one of the Globus guys and asked him point-blank the same question, he told me that in his opinion the decision to do PKI was really driven politically from the top, and he thought Kerberos made a LOT more sense. In a more practical vein, I will note that Sandia uses (or at least used to use) Globus with a Kerberos GSSAPI backend instead of the GSI backend. This was a few years ago, so I don't know what they're doing now. However, they told me that they were still using Globus 1, and that doing Globus 2 was going to be a real bear because of the changes they made to the GSSAPI layer for Globus 2 (even doing Globus 1 with Kerberos required some GSSAPI changes which never made it back to any of the open-source distributions). I dunno if they ever went to Globus 2 or not (I made be remembering the version numbers wrong, but to me this was the gist of what Pat Moore told me). This to me illustrates one of the problems with the GSSAPI ... to do the real interesting stuff, you end up having to dig down into mechanism-specific extensions and you lose the "generic" part of GSSAPI. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos