NESSETT@CCC.NMFECC.GOV (12/14/89)
Quoting Robert Cole, Karl Auerbach writes: >> Thus it is not possible to 'standardise' kerberos, nor really possible >> to specify its use in a standard. > ???? Has the "standards" process reached the point where existing work > is not elegible? Rather a "standard" must be new? Is somebody > suffering from not-invented-here syndrome? I believe Karl quotes Robert Cole out of context. The full quotation reads : > Thus it is not possible to 'standardise' kerberos, nor really possible > to specify its use in a standard. But it is possible to contribute to > the standards activities in the area and to ensure that the resulting > standards meet the requirements which Kerberos was designed for. Standards are by nature agreed upon by a wide community. Participation in the standards process guarentees only that your views will be heard and that your requirements will be met (if they don't conflict with other requirements). In the case of security in distributed systems, there is already a standard that provides a foundation upon which can be built systems with the functionality of kerberos. This is the X.509 standard, which forms part of the X.500 directory service standard, and which uses public-key encryption to sign 'certificates' binding a user's name with a public-key. Implementations of X.509 are in approximately the same stage of development as kerberos, although slightly behind. While the developers of kerberos are to be congratulated for their industry and appreciation of the significance of the distributed systems security problem, the certificate approach is much more likely than kerberos to be used in ISO standards. Dan Nessett
jon@MIT.EDU (Jon A. Rochlis) (12/15/89)
From: NESSETT@CCC.NMFECC.GOV Message-Id: <891213123233.5280012c@CCC.NMFECC.GOV> Subject: Re: kerberos and the ISO protocol standards To: KERBEROS@ATHENA.MIT.EDU Implementations of X.509 are in approximately the same stage of development as kerberos, although slightly behind. While the developers of kerberos are to be congratulated for their industry and appreciation of the significance of the distributed systems security problem, the certificate approach is much more likely than kerberos to be used in ISO standards. Certificates have major advantages, it is true. However the choice of an asymetric encryption algorithm (i.e. RSA) creates tremendous legal/financial problems, while the use of DES trumps those. So far the only arangements public arrangments with RSADI (who controls the RSA patent) are for the Internet e-mail keys (at $25 a user / per 2 years). Nobody knows what arrangments can be had for any other use. While I believe the RSA problems only apply within the US (and exclude the government and MIT), that still leaves a lot of people with serious exposure if they elect to go the X.509 route ... whereas they can go with Kerberos now and not pay anybody any money. -- Jon
mbr@lambda.UUCP (Mike Rose) (12/15/89)
In article <8912141955.AA25301@DELWIN.MIT.EDU> jon@MIT.EDU (Jon A. Rochlis) writes: >Certificates have major advantages, it is true. What's all this about "certificates"? Where can I read about them? Mike