rhc@HPLB.HPL.HP.COM (Robert Cole) (12/11/89)
> There has been a fair number of messages on the kerberos mailing-list that > suggest using kerberos with ISO standards. The following is an example. > Would anyone on the ISO discussion list care to comment on this concept? > Please also copy your comments to kerberos@athena.mit.edu. > Dan Nessett Dan, Work in SC21/WG1 on security is attempting to put into place a framework for security in OSI applications which can be used by all applications (FTAM, MHS, Directory, etc). This is intended to avoid each application doing their own ad-hoc solutions based (usually) on a password. One part of this framework is a document on authentication, and another on access control. The access control framework contains a concept very similar to the Kerberos ticket, but is a generalised. The Frameworks are no where near complete, and of course they do not contain any key management. In ECMA TC32/TG9 (Security in Open Systems) a standard authentication and security attribute service is being developed. This standard is intended to meet all of the functionality of kerberos, as far as possible. Where possible the architecture is similar to Kerberos. This group has just completed a standard called "Security in Open Systems - Data Elements and Services" which describes a whole set of security services needed in an open system, and the security data that is required to communicate between these services. The model in this standard is not very different from that used for Kerberos. Several things happen when a function is standardised: 1. The various processes have to be separated, key management, security data management, authentication exchanges, ticket support, etc. 2. General cases are considered and attempts made to incorporate them. 3. Implementation separated from design. 4. many others. Thus it is not possible to 'standardise' kerberos, nor really possible to specify its use in a standard. But it is possible to contribute to the standards activities in the area and to ensure that the resulting standards meet the requirements which Kerberos was designed for. Robert (Member of ECMA TC32/TG9)
karl@ASYLUM.SF.CA.US (Karl Auerbach) (12/14/89)
> Thus it is not possible to 'standardise' kerberos, nor really possible > to specify its use in a standard. ???? Has the "standards" process reached the point where existing work is not elegible? Rather a "standard" must be new? Is somebody suffering from not-invented-here syndrome? --karl--