NESSETT@CCC.NMFECC.GOV (12/09/89)
There has been a fair number of messages on the kerberos mailing-list that
suggest using kerberos with ISO standards. The following is an example.
Would anyone on the ISO discussion list care to comment on this concept?
Please also copy your comments to kerberos@athena.mit.edu.
Dan Nessett
----------------------Forwarded message---------------------------------
From: barlow@DECWET.ENET.DEC.COM (Repatriated Treehugger)
Subject: Re: kerberos application to OSI
Date: Fri, 8 Dec 89 14:10:51 -0500
Received: from ATHENA.MIT.EDU by CCC.NMFECC.GOV with INTERNET ;
Fri, 8 Dec 89 12:21:20 PST
Received: from CRL.DEC.COM by ATHENA.MIT.EDU with SMTP
id AA20771; Fri, 8 Dec 89 14:20:34 EST
Received: by crl.dec.com; id AA08297; Fri, 8 Dec 89 14:20:24 -0500
Received: by easynet.crl.dec.com; id AA04353; Fri, 8 Dec 89 14:10:54 -0500
Message-Id: <8912081910.AA04353@easynet.crl.dec.com>
To: "lloyd@EXCELAN.COM"@CRL.DEC.COM
Cc: "kerberos@ATHENA.MIT.EDU"@CRL.DEC.COM
Lloyd Spencer writes:
> I would whole-heartedly support the incorporation of a Kerberos-like
> services into FTAM, for example. The current unencoded password
> scheme is rather poor, and therefore leaves me to conclude that any
> proposed security scheme is better than none (well, in effect none).
> Although it is not my intention to be unduly critical of the FTAM
> specification nor its proponents, I would like to see more attention
> given to security.
>
> Similarly, I would like to know whether there is an effort to
> integrate a Kerberos-like service with OSI application services, such
> as FTAM, for example? We (i.e. Novell) would be interested in
> assisting and/or following up on this area since security is a key
> concern (yes, even in the area of OSI).
Note that the password encoding within FTAM is expressed as
Password ::= [APPLICATION 17] CHOICE {
GraphicString,
OCTET STRING }
The octet string encoding choice was explicitly placed there for future
use of better authentication techniques than graphicstring passwords.
Stick your Kerberos ticket in there, and you've got strong
authentication, and are completely ISO conformant!
Doug Barlow
Ex ANSI FTAM Rapporteur
Digital Equipment Corporationlloyd@na.excelan.com (Lloyd Spencer) (12/15/89)
According to Dan Nesset: > In the case of security in distributed systems, there is already a standard > that provides a foundation upon which can be built systems with the > functionality of kerberos. This is the X.509 standard, which forms part of > the X.500 directory service standard, and which uses public-key encryption to > sign 'certificates' binding a user's name with a public-key. Implementations > of X.509 are in approximately the same stage of development as kerberos, > although slightly behind. Who is a contact to obtain information on the current X.509 efforts? ----------------------------------------------------------------------- Lloyd Spencer Novell, Inc. Product Marketing 2180 Fortune Drive San Jose, CA 95131 Phone : (408) 473-8242 UUCP : {ames,sun,apple,amdahl,mtxinu,cae780}!excelan!lloyd Internet: lloyd@excelan.com -----------------------------------------------------------------------