Slashdot Mirror
Kerberos Loophole May Be Closed/Apple Getting Kerberos
Paul Boutin writes "The Industry Standard talked to Kerberos' principal author and all-around ubergeek Clifford Neuman about his proposed rewrite of the IETF Kerberos standard (RFC 1510) to close the loophole Microsoft has been using to create a non-interoperable version. " It also looks like Apple will be bringing Kerberos to OSX, in partnership with MIT.
Does anyone else see a similarity between this and the RIAA/mp3 war? In each case, you have an entrenched old-school industry trying to use stale tactics (lawsuits, etc.) to shut down the subversive new-school methods. In both cases, even though their might is formidible, it seems obvious to me that their doomed in the long run. They don't "get it" because they're so stuck in their traditional thought prices^H^H^H^H^H^H processes.
You know what kinda scares me? That Microsoft or the RIAA will "get it." Let me paint you a picture:
MS Linux: Microsoft produces their own distro.
No, not their old "embrace and extend" strategy. In this scenario, Darth Bill repents and returns to the good side of the Source. Microsoft mines their proprietary code and programmers skills and begin a truly killer development cycle. They were already leaning towards "rentable apps." Selling the service for their own distro would be pretty similar.
Think about it. They have the dinero and organizational structure to make serious progress on the areas that many "community" distros are struggling with (GUI for lusers, etc). They're experts at making things look attractive to customers. Red Hat has a few years on them, but once Microsoft got up to speed, they could quickly catch up. They could leverage their vendor relationships and brand name ("Your customers want Linux? We can give you MS Linux!").
I know it's hard to avoid thinking that this would just be a ploy and MS would pull a bait-and-switch later, but I'm afraid that they wouldn't. If they can remake their corporate image at the same time by "playing nice," the may not be doomed as we might hope.
I'm not pro-MS. I'm not flamebait-ing. I'm 95% sure that MS is too stuck in their mindset to ever go this route, but I can't help but wonder about the possibility.
Damon
Work as if you don't need the money,
Love as if you've never been hurt, and
Dance as if no one's watching.
So, rather than appear foolish afterward, I renounce seeming clever now.
Probably most of you are old enough to remember thefall of cuommunism...how the monolithic beast that was the bogey man of the 2nd half of the 20th century fell in a week (or so it seems). Once one country rebelled, everyone saw that there was nothing behind communism and it fell in a week.
As long as Slashdot continues to stand up to Micro$oft, it will enable everyone to stand up to them. So keep up with it.
Hopefully I didn't put any [] around my words.
This would actually be a very bad idea. Regardless of whether or not Microsoft's claims of trade secret protection actually hold any water, their lawyers will happily continue to act as though they do. The result of this is that, if the Samba team went and implemented the PAC field using Microsoft's spec, they would be immediately sued for trade secret violation. The result: no updates to Samba for the next couple of years as all of their resources are sucked dry by MSFT's legal team.
In fact, even if they implemented the field through good old reverse engineering now, they'd still be in danger. Since the spec has been so widely distributed, if MSFT pressed a suit, the burden of proof would be on the Samba team's lawyers to either prove that the trade secret status was no longer applicable, or else prove that none of their programmers has been "tainted" by the spec.
It's been suggested before that MSFT actually released the spec in this way specifically to ensure that the Samba team would be unable to implement full interoperability. I certainly wouldn't put it past them.
Quantum mechanics: the dreams that stuff is made of.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If you do, please use contraceptives. The last thing we need right now are a bunch of baby bastard Microsofts.
"1. Why does MS mutate this protocol instead of developing something completely propriety and depreciate Kerberos at all?" Kerberos has a pretty strong standing as an "enterprise" user authentication standard. By using a superset of the Kerberos that everyone else is using they can convince people to replace their UNIX Kerberos servers with Windows NT Kerberos servers. The NT servers will do everything that the old servers do (ie run kerberos) plus more (ie do NT authentication with the proprietary MS extension). "2. If Mac is doing an implementation, will they violate that bit where MS said that one may not implement the specifications?" I don't imagine that Apple would try to implement the Microsoft extensions, they would simply implement the standard version just like everyone else. The only reason they would have for implementing MS extensions would be to permit use of an OSX server as the kerberos server for an NT domain. That's a pretty weird argument to make -- go ahead and buy NT workstations, but use MacOS for the servers! That would be going head-to-head with MS for the enterprise server market, which is not something that Apple has historically been real interested in.
'Scuse me, I am not a programmer and so understand very little behind the inner workings of most protocols.
Question: Why couldn't the maintainer's of the Kerebos spec, along with the OSS community be bastardly, and implement a different authentication protocol within the undefined bit? To me, it seems doing so would break MS's propietary version and place them in a situation where they must either drop their own, propietary extension, or lock access to only Microsoft products.
am I making sense at all or am I in error?
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
The fact that it's specifically stated that they're working with MIT to develop this strongly implies that it'll be about as standard as it gets.
Well, no. See, the common use of Kerberos (and the original standard) is for authentication only -- knowing that you're you. MS, in order to let you use their services, is asking the question "Ok, you're you, but what can you do?". They're embedding the answer (your ACL) in the Kerberos header, but that means that you can't use any other Kerberos servers to talk to a MS box, since none of them can generate that info in the first place. A "proper" implementation would issue a ticket from the MS data server with the ACLs embedded, or better yet handle it as a separate datum, rather than forcing you to use an MS Keyserver.
Micrsoft and its cronies love to use this 'innovate' word, but I don't think it means what they think it means. Maybe they're using MS Dictionary 1.0, I dunno.
:)
p ?theisbn=031222222X
You mean... THIS one?
http://www1.fatbrain.com/asp/bookinfo/bookinfo.as
No, actually it's not. It walks like Kerberos, but it doesn't quack like Kerberos. It permits Kerberos clients to authenticate using a Microsoft KDC, but it does not permit use of Microsoft services if you use another KDC. If it were Kerberos, it would.
Isn't the Samba team based in au? I thought Australia gave much better protection to reverse engineering than the US.
I've had the same questions about Apple's support for Java, especially since that was the hot issue when the Apple/M$ deal was announced. Since the details of the deal were private, I suspected that Apple might be required to use M$'s Java. (Of course, Apple is not allowed by Sun to use non-Sun-compatible Java. That would put Apple in a real bind.)
As it turns out, Apple's current Java runtime is a variation on Sun's 1.1.8, and the OS X runtime will be Sun's HotSpot. IE on MacOS doesn't have it's own Java, rather it uses Apple/Sun's. Unfortunately, this makes IE better than Netscape for running applets.
Ignoring the hyperbole that follows that quote -- the cryptography prevents the authentication from coming from "just anywhere". Microsoft apps should roll over and trust the KDC -- that's what it's there for: why you set it up. The bit the MS server wants is your ACL, which is about permission, rather than authentication. The MS server should get it from a trusted source, if it's not going to hold onto it itself, rather than depend on an optional field. By making the field non-optional for MS servers, MS breaks the standard. DCE does too (IIRC), but they admit it. Breaking the standard is not wrong, but claiming you didn't, when you did, is. I'll sputter all day about that (apparently :-).
DCE Kerberos is not interoperable with MIT's implementation. I don't see anyone screaming about that.
True. however, DCE is an open protocol, with full specs and source available for unrestricted download.
Finkployd
Doesn't this imply that MS has no right to claim the "enhancements" as their own intellectual property if they were actually publicly displayed before MS made them available in their own version of Kerberos?
I don't see why this is MS's problem ... If Sun or another big Unix vendor wanted to sell file servers, they could have given away free Windows NFS clients. Your problem is that Sun, et al has never been interested in the file server market.
BTW, Microsoft and Novell both charge 'seat licences', so even though the software is built-in you are still paying a couple hundred bucks per $80 client. Windows NFS drivers are in the same ballpark as what MS charges for an NT seat.
--
Business. Numbers. Money. People. Computer World.
This looks like a perfect example of "embrace and extend" turned around on Microsoft. Looks like the IETF has decided to embrace the unused data field, and extend it in a "different" direction.
This is much sweeter than simply trying to get Microsoft for using the Kerberos name when their clients won't work with a server compliant to the published standard.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Okay, I admit I'm not a Kerberos expert, but I've looking into this issue some, and it appears to me that everyone is up in arms for all the wrong reasons.
As I understand it: Microsoft took a field in Kerberos marked for "vendor-specific data" and used it for -- get ready for this -- vendor-specific data. (If that is wrong, please feel free to correct me.)
So there is nothing wrong with Microsoft's Kerberos implementation. Getting mad at them for that is incorrect.
However, Microsoft has done some things worth getting mad about: First, the vendor-specific data is in a closed, proprietary format, designed to lock-out non-Microsoft implementations; and second, they've threatened Slashdot for what are (IMO) silly reasons (the exact merits of their case have been debated to death elsewhere; let's not repeat all that here).
We should be after MSFT to open up their protocols and compete fairly, and not after them for using a field in Kerberos for what it is designed for.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
1. Why does MS mutate this protocol instead of developing something completely propriety and depreciate Kerberos at all?
2. If Mac is doing an implementation, will they violate that bit where MS said that one may not implement the specifications?
Bizar technology?
Of all the ubergeeks, I would not have believed one to do AllAdvantage. Sheesh. See for yourself: http://home1.gte.net/bcn/recommendations/free.htm And the very link to (don't click): http://www.alladvantage.com/go.asp?refid=DJC-598 Would an ubergeek do AllAdvantage and try to take an opportunity to make money and refer herself, even though s/he is most likely to have enough money already....... No! Clifford Neuman, I pity you.
http://www.goat^H^H^H^Hmslinux.org
Will I retire or break 10K?
Bizar technology?
From linuxpr
================================================
Bynari To Bundle Trade Products with Corel
May 18th, 12:39 UTC
Use of Debian and Corel Desktop Important to Strategy
Dateline Dallas May 18, 2000 - Bynari Inc.'s Product Development Group announced that the Company will bundle TradeXCH with Corel 1.1 and Corel's Office2000 for Linux. TradeServer, due for release the week of May 23rd also requires Debian. The Product Development Group plans to bundle TradeServer and its LGPL product, Tradeclient with Corel's latest distribution.
TradeXCH allows Linux desktop users to communicate with Windows users of Outlook through MS Exchange. The use of Corel 1.1 allows TradeXCH to function in a GNU/Linux distribution which speaks to Windows networks and UNIX NFS computers.
"We feel this bundle gives enterprises a new choice," Bynari's Product Manager says. "Users have all the functionality of a robust productivity environment, a distribution which promotes corporate convergence and a tool to allows Windows users to communicate with and collaborate with Linux users in a way theu have become accustomed."
Bynari will support the Corel-TradeXCH bundle with toll free call support in Canada and the United States.
More extensive information about Bynari initiatives with Corel products will be released in the next week through Bynari's Marketing Director, Lary Freeman, who has led the Company's efforts in forming several strategic alliances.
From the Office of the CEO, Bynari Inc.
Bynari Inc.
2512 Program Drive Suite 108
Dallas, TX 75220
1-800-241-1086
1-214-350-5772
info@bynari.com
http://www.bynari.com
================================================
Today's vices may be tomorrow's virtues.
Well, I don't know if you are right, but hopefully the Samba/MIT people are talking to lawyers and getting an informed opinion about the whole thing.
/. thing and start lobbying MS to openly release the spec. Quite a few Slashdotters work at big Microsoft shops, and if, as a customer, you let them know that Unix interoperability is important, they might just listen.
Meanwhile, the Linux advocacy crowd has been distracted by this Microsoft letter to Slashdot. My theory was that this fight was intentional on Microsoft's part (notice how the letter goes out of it's way to mention "DMCA" as many times as possible).
If you can't legally reverse-engineer or copy the protocol, at the very least, you can forget about this whole
--
Business. Numbers. Money. People. Computer World.
Actually, I bet most working versions of Kerberos don't touch that field in debate like MS does, and will be fully compatible with Kerberos v6 or whatever. Everyone could claim "v6" compatibility without changing a damn thing except MS.
Finally, even if there are other Kerberos implementations that don't work exactly with the MIT version, THEY JUST DON'T FULLY IMPLEMENT THE STANDARD, THEY AREN'T TRYING TO CHANGE/COOPT THE STANDARD! (sorry to yell)
I'm all for looking at the MS side of the situation, and not bashing them just because we hate them, but seriously: How many dumb ass monopolistic things do they have to do before such hatred is justified? Fool me once, shame on you, fool me twice......
If I had no sense of humor, I would long ago have committed suicide. -Ghandi
They just extended the protocol. Extensions is adding additional functionality while keeping the rest in tact. That's what they did. Period.
The fuzz is not about the MS implementation of the protocol part. It's about the extension part. While there is NO SPECIFICATION WHATSOEVER in the protocol specs that states that extensions should be open too, people here think MS HAS TO open up the extensionimplementation. of course they don't have to.
The Mac implementation is just an implementation of the protocol. If Apple adds an extension to the protocol, using own developmentresults, why should that be a voilation of MS' proprietry? Only if Apple copied MS' extension specifications AND says it's Apple's property. Like Mercedes rips of Ford's secret enginedevelopment's secrets and says it's theirs. Yes this is the same thing.
Now, all: stop whining like a spoiled kid and get to work. There is a kernel to release.
--
Never underestimate the relief of true separation of Religion and State.
---
Why treat Microsoft differently than everyone else? (aside from the obvious)
---
Erm, because of the obvious...
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com)
- Jeff
When establishing a new standard, trademark the name. This can be perfectly compliant with OSS.
Write a 'nominal fee' ($1) license for Kerberos (tm) and "Kerberoid"(tm) (or some other word that describes Kerberos compatibility), and explicit terms under which the license is automatically issued upon receipt of payment. Then give the Trademark to EFF (or IETF - thought IETF is less likely to enforce, and may move more slowly on changes)
It is not to late to trademark Kerberos, since the originator has clear a clear history of title and trade use on this trade name for this "product".
If one requirement for licensing is 'interoperability' with a reference standard, then MSFT Kerberos becomes a litigable violation. A clever lawyer may find a way to make 'Kerberos compatible' a violation, though it would not be straightforward.
_____________
If you can go to bed, knowing you did a valuable thing today, you're very lucky. If you can't... it's not bedtime
The program refused to build the helpfile. It complained that the RTF was invalid.
Thinking that this was odd, I went to Microsoft Word 97, wrote the file there, saved it as RTF, and tried this brand new file in the same Microsoft-produced helpfile creator.
AGAIN the program complained that the RTF was invalid.
So I moved to my Linux box, fired up Applix 4.3.7, typed in the file, saved it as RTF, moved it to the Windows box, and tried again -- this time with an RTF file produced in a NON-Microsoft product.
The helpfile built without a single complaint!
DFL
Never send a human to do a machine's job.
and how is that relevant?
and what the fuck is astroturf supposed to mean here?
What the hell is your fascination with GPL?
why not make it totally free, or design a better license that doesn't do what RMS wants you to do.
Um, Unix Services for Unix (SFU) supports NFS.
It's also a Microsoft product.
That should be Windows services for unix.
I'm not sure what the $100m investment was for, but it has certainly paid off, as it is worth over $300m now.
Settlement of a long-standing patent-infringement suit concerning of certain parts of Microsoft's "ActiveX" technology lifted from Quicktime practically feature-by-feature. Apple promised to drop the suit, which they promptly did, in return for the stock investment.
--B
RFC does not *exactly* mean something is a standard.
It's just that, usually, software is derived from the RFC (or vice-versa) and it becomes an unofficial standard. Take IPv4. You could read the rfc that specifies IPv4 and find several things that are not implemented, and will never be implemented in the Internet today (or any private IP network, for that matter). Some fields that were never really used in IPv4 (TOS, for one..) are now being used in an unrelated manner to do QOS... it's great, it's innovative, i'ts a re-use...
And lots of rfc's are never used for anything....
So rather, we can summarize how things work in the world today by referencing a bunch of rfc's.
Changing the kerberos spec by producing a new RFC... nothing stops MS from saying that they have implemented kerberos. Still.. why not fix it.
Your Quote:
:>
:) Some times I get that and I have to slow down and read it again to be sure I'm seeing what I think I am seeing... 9 times out of 10.. I'm not... :) Just wouldn't want you going around correcting people for a mistake they did not make... could be very embaressing
> It also looks like Mac will be bringing Kerberos to OSX, in partnership with MIT.
What was accually typed
> It also looks like Apple will be bringing Kerberos to OSX, in partnership with MIT.
> No offense, but you PC guys always get that wrong. It's as bad as saying that a given OS was written by "Linux Torvalds".
No offense taken...
I suspect however your brain is playing a small trick on you...
Swapping out Apple and replacing it with Mac.
It's done to improve your reading skills...
I've never seen this before....
And it's not what was posted....
No biggy
Not a big issue
I don't actually exist.
It is a known fact that microsoft has robbed, pillaged and raped standards open to the community to enhance it's goals, they have taken code and put a proprietary spin to it making it their standard, allowing them to have complete control, it is a good thing that they are planning to clamp down kerbos, cause M$ is getting seriously out of hand.
Of course, the first question that comes to mind is: how is this going to influence the recent legal actions Microsoft pulled against /.
The second is, why is the IETF not in control of Kerberos completely, how could it happen that Microsoft made proprietary extension to the protocol?
Sigged!
MSFT Kerberos: a true bait-and-switch.
-- @rjamestaylor on Ello
It's simple to make proprietary extensions to a (formerly) open protocol. Just implement the standards and then change them ever so slightly so that they can break compatibility with standards compatible products. The IETF doesn't have enough money to sue Microsoft and stop them.
Microsoft thinks they're above standards bodies and the law. This is nothing new. You've seen it before:
Their proprietary changes in Internet Explorer that break with W3C standards for HTML.
Their proprietary changes to LDAP in Active Directory.
And their recent proprietary changes to XML in Internet Explorer 5.5.
And I can go on . . .
Microsoft will argue that they are trying to "improve" the standards, but their so called improvements are simply trivial changes to try and seize a standard. Or as many of us like to say: Embrace, Extend, Extinguish.
Hopefully this time it's not too late.
Still, who thinks the leagal dept isn't already gearing up to find another loophole to put the windows logo in? There's always something....
-Earthman
Earthman
Say it to me face w/ out wasting space...
Then again blink and layer are in the W3c specs are they? And they didn't come from Microsoft ...
I can only think of two API's, or specs, if you will, that microsoft has found reason to make non-interopable
Java, and this -
Are there more examples of protocols, specifications, API's, whatever, that had standards for interoperability, but the Windows or Microsoft implementation fails to meet them ?
Not that I doubt there are, I've just never really looked into it.
Anyway, it's great that this is happening. I hope M$ suffers greatly because of this. Although I know they won't. Damn it. I really wish we could all get at them bad.
Anyway, I also hope developers come out with a patch to kerberos to make unix versions capable of talking to the M$ versions.
1. Download kerberos source
2. Unzip and untar
3. make all, make install.
What's so hard about that?
Oh, we're not talking about the port? Oh well.
"Kerberos Loophole May Close around Microsoft's Neck"
:)
heh
Something tells me the bias may be on our side this time, folks
Aren't you dead?
The point was not that they innovated and added wonderful new features to the protocol - the point is that they promised to be 100%compatible and they aren't.
According to the article, Microsoft said, "It's not about free speech. We're not asking for people's comments to be pulled down." EXCUSE ME??? That's exactly what they were asking in their letter to Slashdot. Fuck Microsoft.
-Nathan Whitehead
Microsoft is wholly dependent on the authors of Kerberos. They need to be able to claim interoperability and that they are on the cutting edge, but depend on the sanction of their victims. I think its excellent that the authors of the Kerberos spec are withdrawing that permission - in a sense reminding Micros~1: "Kerberos is MINE, and I'm LETTING you use it".
I want to delete my account but Slashdot doesn't allow it.
Kerberos is about security. The IETF can make analyses and determinations about the security of its standard protocols. If the Microsoft implementation of the extension does not cooperate to work toward necessary security in Kerberos, IETF (and MIT) are right to point this out and route around it.
Microsoft started this discussion by publishing the document on the web. Now it has to live with the consequences.
As far as the relevance to the Slashdot case goes, I suppose you noted the hints that the implementation for the extension is not original, since it was already presented on the Kerberos mailing list by another?
A long time ago, Apple had an alliance with Netscape (then still a stellarly successful browser company). Then MS invested $100m in Apple, and consequently Apple dropped Netscape and standardised on MSIE.
Now that Apple are adopting Kerberos, what's to say that it will not be proprietary Microsoft Kerberos? If MS could get Apple to support their fork of Kerberos, it'd make it more likely to win the standards battle. (And official standards mean little in the fast-moving IT game; witness what happened to HTML 3.0.)
When a specification is updated, a new RFC is posted. If a new RFC was written for Kerberos v6 (or whatever Clifford Neuman wants to call it), Microsoft could still (rightfully) claim full compliance with the original Kerberos specification (RFC 1510).
My personal take on this is that it's sour grapes. It appears to me that the other commercial Kerberos implementations are not fully compatible with MIT v5 either, and probably for the same or similar reasons, and where's the righteous indignation about those?
CyberSafe's TrustBroker (Acrobat Reader needed) indicates in it's FAQ that it's compatible "at the protocol layer", and strongly implies that there are interoperability problems or limitations.
DCE Kerberos is not interoperable with MIT's implementation. I don't see anyone screaming about that.
I'd like to see a reasonable discourse on this issue, without all the "Evil Micro$oft" rhetoric. Should standards all be written in such a way that no one is free to innovate?
Here's a side note. Regardless of what OS you use, don't you advocate the spread of Kerberos as an authentication protocol standard? If so, you should probably be grateful. I'll bet more computers have been running Kerberos since February than have ever run it before.
People aren't even seeing the more serious issue here. If Microsoft implements these so-called Kerberos extensions, reverse engineering them is not what we want to be doing (regardless of legality).
Getting the IETF to make the standard more rigid is a better course of action. It forces Microsoft to adhere to certain rules if they want to claim Kerberos interoperability.
If we start the reverse engineering game with Microsoft, they will have achieved their goal -- defacto control of the Kerberos standard. They will have the ability to modify their extensions at will, thus forcing anyone who requires interoperability (e.g. Samba) to scramble to catch up.
Once Microsoft has you playing catch-up, you're right where they want you. See Netscape for details.
Best regards,
SEAL
Of course some of us aren't all that happy when we see interoperability suffering, no matter who the culprit is. But when Microsoft does something like this, everyone becomes very wary, because they've shown they have the market clout and the disposition to try to force their stuff down everyone's throat. Sortof the difference between anyone worrying about lil' ol' ME buying a gun, vs. a violent criminal.
Tweet, tweet.
at least he spelled "mac" in lowercase letters. :) a lot of slashdot posters would have said something like "It also looks like MAC will be bringing Kerberos to OSX".. -_-
[explanation for anyone confused by my statement: "MAC" and "Mac" are not the same thing. A "mac" or a "Mac" is short for "Macintosh", which is a type of computer. An "MAC" is an adress hardwired into an ethernet card used for identification. i hope this clears things up a bit. Most Linux users should understand this already, since Unix-style file systems are case-sensitive and will allow files to coexist despite the fact that treated case-insensitive they have the same name.. i would be willing to bet though that there are some linux users out there who do call mac MAC, and i'd be willing to bet some of these people are the exact same people who bitch like crazy whenever anyone uses the phrase "x windows" in place of "x", even in contexts where "x" alone could also be construed to mean X the bot on undernet, X the anime, or X the san fransisco punk band.. i'm ranting now aren't i? sorry. i've had a bad day.. -_-]
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
It does MSFT no good to say they comply with the old version of Kerberos if everyone moves on to a non-extend-and-embrace version. Noone will buy it then.
Will in Seattle
For a moment, I was thinking of that other loophole in Kerberos...
-------
Warning: Slashdot may contain traces of nuts.
How is Microsoft any different from a small consulting company which might use the same Kerberos optional field in implementing a private project for their client? Well, IMHO there is a difference.
Microsoft and other companies with very dominant market share are in the position of creating de facto standards in whatever they produce. Standards have an enabling role in a free market, namely that they define a basis for direct competition. Consumers can choose between competing products that do the same (to the extent defined by the standard) thing, which developers are able to produce with assurance because of the public standard.
Microsoft's release of products including special uses of an optional Kerberos field will automatically create a new, de facto (extended) standard. Technically, fine (hopefully). Kudos to Microsoft for thinking up something new and useful. But standards-wise, maybe not so fine, if it is closed/restricted and serves to exclude competition.
Microsoft's use of an optional Kerberos field does not make them nonconforming w.r.t. the base standard. But insofar as they are creating a new (and because of their market share, widespread) de facto standard, and insofar as they are excluding competition, they are in effect putting others into the position of being nonconforming -- with no permitted way of becoming so, except possibly by paying license fees to Microsoft. This is a perversion of the purpose of an open standard, and not so incidentally, the DMCA is an example of engineering extra locks to secure the perversion.
I haven't looked at the new spec, but it immediately comes to mind that there are several ways to use open slots in a standard structure, and etiquette and technical foresight come into play. I doubt that Microsoft would simply pre-empt the full use of a slot by, e.g., storing a "handle" to a proprietary object in the slot. That would lock out other simultaneous independent options (except of course through mods to the proprietary object), which would be acceptable for a private project, but certainly not for a de-facto-standards-defining, market-dominating one. An acceptable alternative might be to use the slot as the head of a linked list which could be traversed according to open methodology. This wouldn't lock anyone else out of simultaneous optional-slot use. Etiquette would demand that the original standards authors/overseers/maintainers be consulted before proceeding with such a (list-structure) extension of the standard. The list nodes could then be used in private projects or de-facto-standards-defining mega-releases. I'd be interested in knowing how Microsoft proceeded.
I believe much of the antipathy towards Microsoft stems from the sense that they don't want to compete on pure technical merit, even though they have recruited a tremendous pool of technical talent, whose members very likely feel they can win in a clean game, and would prefer it that way.
Some (most?) lawyers and marketers are other kinds of players, though. It seems like they take pride in being able to "win" in any game, and a dirty game is just a game with different rules (and to them that's the way the world is), which makes it honorable to play as dirty as you can get away with, including {bribe,lobby}ing to change the rules in your favor as you're playing. I can see some people wanting to get into that kind of "sport" (can you be big-corp CEO otherwise in today's environment?), but sadly, it really fouls up the game for those of us who would rather not play that way. If we are the majority, perhaps we can get our representatives to work on reforming the rules of play, so fewer people would get hurt and more could enjoy it, and there would be less bad feelings among us all. Of course, our representatives are mostly lawyers ;-/
:-)
Cheers
I was curious about this, so I checked the source. The basic problem is that IE5 doesn't deal well with a space before the 'a' in the closing anchor tag:
****Gfx Scrollbar Special case hit!!*****
I'm sure there are. Just from experience, their Proxy Server 2.0 will default to their default to their proprietary WinNT Challenge/Response protocol for authentication. This really sucks for SETI@home, RealPlayer, and all non-MSIE (Netscape) Browsers, because the proxy won't function like a proxy to non-MS products unless you dig into the settings and disable the defaults.
And of course, that doesn't even scratch the surface of email filtering in Outlook Express and WebTV.
It's pretty ironic that in this article dealing with Microsoft's Kerberos implementation, you're blaming Microsoft for their browser correctly interpreting the W3C's HTML 4.01 spec, by which </ a> isn't valid HTML. Now why do I get the feeling that if IE5 worked with this invalid HTML, you'd be moaning and crying about Microsoft embracing and extending the HTML standard? Hmmm?
Just like Microsoft's Kerberos implementation adheres to the IETF Kerberos standard, so does IE5 adhere to the HTML standard in the example you mentioned above. What part of "standards" do you guys not understand? Looks like they're always a good thing except when Microsoft follows them.
Cheers,
ZicoKnows@hotmail.com
"You know, you use that word a lot, but I don't think it means what you think it means ..."
How about forcing people to make innovative *standards* that others can use and prosper from just as easily as you can? That is, after all, how the Internet came about. TCP/IP was very innovative, POP3/SMTP/HTTP/DNS too, Unix socket i/o, and yes, even Linux are all very innovative products. They're also very pervasive products as well, although this has as much to do with the fact that it's an *open innovation* than it does with the innovative nature of it...
Micrsoft and its cronies love to use this 'innovate' word, but I don't think it means what they think it means. Maybe they're using MS Dictionary 1.0, I dunno.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Okay, I'll see your touché and raise you a c'est bon. I don't disagree with you about why some people are perturbed, it's just tiring to see so many people continue to misunderstand the fact that their Kerberos implementation is compliant. As to the current article, it surprises me that when writing a vendor-specific field, MIT wouldn't expect some companies to use that field to create implementations that were only operable between that single vendor's products. To me, the current complaints sound like a knee-jerk anti-Microsoft reaction.
Cheers,
ZicoKnows@hotmail.com
What part of "standards" do you guys not understand? Looks like they're always a good thing except when Microsoft follows them.
Standards are defined by a global committee with the interests of the world community at heart.
Microsoft "standards" are defined with only the intere$t$ of Micro$oft at heart. They will encourage these standards to be adopted so that M$ can embrace and extend their reach even further into the community.
Hey, didn't Judge Jackson find these guys guilty? ... ?
Can't they take a hint
This post encoded with ROT26. If you can read it, you've violated the DMCA. Handcuffs please, sergeant.
It's not a knee-jerk anti-Microsoft reaction, this outcry over Microsoft's latest standards-smashing scam is well-founded. The whole idea of Kerberos was to have a publicly-documented, platform-independent authentication scheme, and Microsoft deliberately broke it. To make matters worse, they pull this disgusting legal razzmatazz with their EULA-protected "trade secrets," to forestall legitimate reverse engineering.
Cheat, cheat, cheat, and even in the midst of their antitrust suit they never stop - the Sid Vicious of software vendors. God knows, "business ethics" is something of an oxymoron, but even amidst the low, swinish company of capitalist businesses in general, Microsoft stands out; that damned gang is just plain pathological.
OK, you could say that "any company in their position in a capitalist market system would act as they do," and I suspect you'd be right - but that is only an indictment of capitalism in general.
Yours WDK - WKiernan@concentric.net
If Microsoft starts compeating on quality making the source available to all etc like RedHat then I don't see a problem.
IBM once was the badguy building non-standard hardware locking users into IBMs product line.
Now IBM is selling mainframes that run Unix like systems such as Linux.
They "get it"
If Microsoft "gets it" that would be a good thing.
If Microsoft starts selling Linux systems and puts all there marketting, legal and money behind Linux that would be a good thing.
If Microsoft just attempts an e&e on Linux we'd just get ticked off.. or a bait and switch or any games. Microsoft allready knows we don't trust them but they might believe they could pull it off. If they try they'd be toast...
So as scarry as an MsLinux looks it could be a good thing... IF Microsoft plays fair...
I don't actually exist.
---
:>
It also looks like Mac will be bringing Kerberos to OSX, in partnership with MIT.
---
Mac? Who is Mac?
By chance do you mean Apple?
No offense, but you PC guys always get that wrong. It's as bad as saying that a given OS was written by "Linux Torvalds".
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com)
- Jeff
In a way, I hope that developers DON'T come out with a patch that makes "standard" kerberos capable of talking to MS Kerberos.
Why? Because this would be tantamount to accepting the Microsoft extensions, and making the standard needlessly more complicated to support. Why should MS be allowed to have a different implementation than everyone else? Why should people who want to use Kerberos in heterogenous environments be forced to deal with 2 separate interfaces?
No, I think that I would prefer to see the rest of the world adapt the new standard, and snub the MS version completely. That would be a great test of whether MS really does have monopoly power over the industry; we could just see who gave in. If it's a case of "The rest of the world" vs. "Microsoft", and the world loses...then there is definitely still a problem, and that means that MS can still do whatever they want, unchecked, and unfettered by what is good or preferable for the populance.
WMBC freeform/independent online radio.