Kerberos - Enough Already

Mike Sheldon msheldon@desertraven.com
Wed, 10 May 2000 16:08:32 -0700


OK, apparently FUD work BOTH ways.

Microsoft did not make changes to Kerberos without consulting the Kerberos
group. Quite to the contrary, M$ DID make changes to their original
implementation based on feedback from the leadership of the Kerberos
project.

The full text of the letter from Clifford Neuman can be found at
http://www.counterpane.com/crypto-gram-0004.html#CommentsfromReaders

Clifford Neuman is the group leader for "Global Operating Systems Technology
Group", the current maintainers of the Kerberos standard.
http://www.isi.edu/gost/gost-group/

Specifically, the following excerpt from Clifford's letter applies:

"There is not currently a standard for representing group information in the
authorization data field of Kerberos tickets, so I can't fault Microsoft for
developing their own. As part of the design and release of the authorization
components of Win2K, they registered identifiers for their authorization
data elements, and discussed the high level architectural issues of their
use with myself and others in the Kerberos community. This is highlighted by
the fact that their early design called for an interpretation of the
authorization data field that was inconsistent with its defined use and
intent. After discussion (and before they implemented), we worked out an
extension that 1) preserved the original intent, 2) significantly improved
the usability of the authorization data field for authorization by anybody,
not just Microsoft, and 3) is specified in the current Internet draft
revising the Kerberos specification."

Please leave the FUD-slinging to Microsoft. Linux does not benefit from
disinformation no matter who is providing it.

Michael J. Sheldon
Internet Applications Developer
Phone: 480.699.1084
http://www.desertraven.com/
PGP Key Available on Request