NESSETT@CCC.NMFECC.GOV (12/09/89)
There has been a fair number of messages on the kerberos mailing-list that suggest using kerberos with ISO standards. The following is an example. Would anyone on the ISO discussion list care to comment on this concept? Please also copy your comments to kerberos@athena.mit.edu. Dan Nessett ----------------------Forwarded message--------------------------------- From: barlow@DECWET.ENET.DEC.COM (Repatriated Treehugger) Subject: Re: kerberos application to OSI Date: Fri, 8 Dec 89 14:10:51 -0500 Received: from ATHENA.MIT.EDU by CCC.NMFECC.GOV with INTERNET ; Fri, 8 Dec 89 12:21:20 PST Received: from CRL.DEC.COM by ATHENA.MIT.EDU with SMTP id AA20771; Fri, 8 Dec 89 14:20:34 EST Received: by crl.dec.com; id AA08297; Fri, 8 Dec 89 14:20:24 -0500 Received: by easynet.crl.dec.com; id AA04353; Fri, 8 Dec 89 14:10:54 -0500 Message-Id: <8912081910.AA04353@easynet.crl.dec.com> To: "lloyd@EXCELAN.COM"@CRL.DEC.COM Cc: "kerberos@ATHENA.MIT.EDU"@CRL.DEC.COM Lloyd Spencer writes: > I would whole-heartedly support the incorporation of a Kerberos-like > services into FTAM, for example. The current unencoded password > scheme is rather poor, and therefore leaves me to conclude that any > proposed security scheme is better than none (well, in effect none). > Although it is not my intention to be unduly critical of the FTAM > specification nor its proponents, I would like to see more attention > given to security. > > Similarly, I would like to know whether there is an effort to > integrate a Kerberos-like service with OSI application services, such > as FTAM, for example? We (i.e. Novell) would be interested in > assisting and/or following up on this area since security is a key > concern (yes, even in the area of OSI). Note that the password encoding within FTAM is expressed as Password ::= [APPLICATION 17] CHOICE { GraphicString, OCTET STRING } The octet string encoding choice was explicitly placed there for future use of better authentication techniques than graphicstring passwords. Stick your Kerberos ticket in there, and you've got strong authentication, and are completely ISO conformant! Doug Barlow Ex ANSI FTAM Rapporteur Digital Equipment Corporation
lloyd@na.excelan.com (Lloyd Spencer) (12/15/89)
According to Dan Nesset: > In the case of security in distributed systems, there is already a standard > that provides a foundation upon which can be built systems with the > functionality of kerberos. This is the X.509 standard, which forms part of > the X.500 directory service standard, and which uses public-key encryption to > sign 'certificates' binding a user's name with a public-key. Implementations > of X.509 are in approximately the same stage of development as kerberos, > although slightly behind. Who is a contact to obtain information on the current X.509 efforts? ----------------------------------------------------------------------- Lloyd Spencer Novell, Inc. Product Marketing 2180 Fortune Drive San Jose, CA 95131 Phone : (408) 473-8242 UUCP : {ames,sun,apple,amdahl,mtxinu,cae780}!excelan!lloyd Internet: lloyd@excelan.com -----------------------------------------------------------------------