NESSETT@CCC.NMFECC.GOV (12/19/89)
The argument whether a cost of $12.50/user/year is significant when comparing the relative benefits of kerberos and a X.500 based approach actually turns on more basic considerations than the costs of the security mechanism per se. The question is what proportion of the overall system cost does the per certificate cost represent. A computer center supporting a user population of about 2,000 would probably have a budget of about $30 million/year. Given that large computers are becoming less economically attractive, let's cut this number in half and say you can support a user population of 2,000 on $15 million per year. That works out to about $7,500 per user per year. This is total system cost including hardware, software support, staff salaries, plant, administration, etc. Let's be real conservative and say a minimum computing environment can be sustained with a per user cost of $5,000 per year. Given such cost figures, what is the overall impact of $12.50/user/year? If the X.500 solution to authentication has major technical advantages (as Jon Rochlis suggests), it would seem prudent to employ it. Even a margin cost argument must take into account the impact of decreased interoperability when a non-standard authentication mechanism is employed. Given that the certificate approach has major technical advantages, isn't the burden of proof on the kerberos people to show that the cost savings outweigh significant costs of decreased interoperability. Perhaps even more pertinent is the fact that sites adopting kerberos will probably have to support both it and X.500, since the later is an integral part of the ISO protocol standards milieu. Dan Nessett
craig@bbn.com (Craig Partridge) (12/20/89)
> The argument whether a cost of $12.50/user/year is significant when comparing > the relative benefits of kerberos and a X.500 based approach actually turns on > more basic considerations than the costs of the security mechanism per se. > The question is what proportion of the overall system cost does the per > certificate cost represent..... > ... Let's be real conservative and say a minimum computing > environment can be sustained with a per user cost of $5,000 per year. > > Given such cost figures, what is the overall impact of $12.50/user/year? Dan: I think your logic is faulty here. The true cost of that certificate is probably > $100. 12.50 plus a couple of labor hours of managing that certificate. To take a standard bureaucratic situation. That certificate has to be requisitions, a check has to be cut, the certificate has to be received, it has to be filed (it is a valuable enough to keep track of) and I have to be told what it is. My company isn't this bad, but lots of places are. Purchasing things in a corporate world can often cost a lot more than the price tag on the thing you buy. So we're now talking a 2% budget hit for your computer center costs. Big enough for someone to notice, although perhaps not big enough for them to care. Craig