Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Launching Kerberos Consortium

Posted by ScuttleMonkey on from the passing-the-torch dept.

alphadogg writes to tell us that next week MIT will be throwing a 20th birthday party for their Kerberos authentication system. In celebration of this milestone they will also be launching a new consortium dedicated to preserving and evolving this standard for years to come. "Kerberos, originally created for MIT's Project Athena, is used mainly by enterprises and MIT's goal is to see the IETF security standard develop into a universal system for single sign-on. [...] 'Kerberos has.... become successful beyond MIT's internal capacity to respond to the world's demands for development, testing and support. So we need a new organizational structure that can accommodate the demand.'"

7 of 62 comments (clear)

  1. Re:Kerberos by LiquidCoooled · · Score: 4, Funny

    It might now have a home, but it won't be able to enter it without someone to vouch for its identity.

    --
    liqbase :: faster than paper
  2. Re:And how wil MS influence this? by ackthpt · · Score: 4, Informative

    With MS embedding thier version of Kerberos into their OS's it's fairly certain they will try to influence the direction of this in thier favor. Just something to watch out for.

    Didn't we just cover this aspect of MS embedding crap in the EU ruling? They can do it in the US, perhaps Asia, but the EU will be telling them to OPEN UP. So if I wanted to use my own authentication system in the OS I should be able to, not Microsoft's.

    Oranisational Restructuring: "No, you want Bodkin, he shuffles orange and white papers, I now shuffle green and baby blue papers. Yellow and tan papers are down the hall to the left, shuffled by Morris."

    --

    A feeling of having made the same mistake before: Deja Foobar
  3. Someone has to ask it... by erroneus · · Score: 4, Interesting

    ...so why not me?

    Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone? Will the Kerberos consortium take whatever Microsoft did into account so as not to break what other people have done to work with and around Microsoft?

    1. Re:Someone has to ask it... by KidSock · · Score: 4, Insightful

      Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone? Will the Kerberos consortium take whatever Microsoft did into account so as not to break what other people have done to work with and around Microsoft?

      MS and the MIT Kerberos crowd get along just fine. I believe the things MS did are generally thought of as good. Some are starting to make it into the Kerberos distros (e.g. I think Heimdal has support for constrained delegation). The PAC business was a little overblown. The Samba guys were able to figure out how to sign the PAC from the doc MS provided and with some carefull network analysis. Of course the Samba guys are not happy overall. I don't know if they have a problem with their Kerberos code but other modes of communication and the semantics to go with are not adequately documented.

  4. Re:And how wil MS influence this? by Anonymous+Crowbar · · Score: 4, Informative

    From the FAQ http://www.kerberos.org/about/FAQ.html Didn't you guys have some kind of big falling out with Microsoft around Kerberos? "We read about that, but MIT and Microsoft have a long history of working together on Kerberos. This history starts well before the release of Windows 2000. Since then, MIT and Microsoft have been working on standardizing some of the features such as realm referral that enhance the ease of configuration of the Active Directory product. To this day, MIT and Microsoft continue to work together on Kerberos standards. The most recent effort involves a joint proposal to protect Kerberos against weak passwords and provide enhanced user privacy. MIT and Microsoft have made a proposal and are working within the standards community to build consensus around this proposal." Not sure how easy it is to replace Kerberos in Microsoft OS, the fact is with all the companies I've worked with globally, all of them were just using Kerberos in AD since it was there. Sure, you can turn it off and replace it with another option but cost wise it doesn't make sense...and I would imagine in most cases there would not be a need to as well.

  5. Re:Laughably outdated by secPM_MS · · Score: 4, Informative
    I would not call Kerberos outdated. Kerberos is based upon the Needham-Schroeder (NS) secret key approach and provides a rather comparable functionality to public key approaches. NS needs key distribution servers and the associated ticket granting servers, but these are in a security sense equivalent to the CA's and RA's of the PKI world.You can build authentication architectures upon either. The NS approach is computationally more efficient than the RSA math typically used by PKI.

    Kerberos is used extensively within Microsoft enterprise scenarios and is used in other non-Microsoft environments as well.

    Both Kerberos and PKI present management difficulties as you try to expand across large numbers of domains / forests with diverse security policies.

    If quantum computing ever truly breaks classic PKI approaches, the alternatives will be to develop PKI approaches that are more resistant to quantum attacks (problems are known that are believed to be resistant) and/or to use NS / Kerberos with doubled key length (quantum search attacks roughly square root the effective key size).

  6. NFS v4 uses Kerberos by ShaggyZet · · Score: 4, Informative

    Here is Linux's NFS v4 architecture. Other implementation's use kerberos too. Kerberos is one of the major improvements to NFS v4.

    http://developer.osdl.org/dev/nfsv4/site/architecture/