Ha ha, trolling, I like that. In fact the only way I ever caught fish was by trolling, but I digress. Yes it doesn't pertain directly to the issue, however I felt it did provide some information regarding Kerberos, so indirectly it helped. Howver I did fail to post all the links at the end of the message, which do mention more of the Kerberos issue. Here they are, if any are interested:
mailing list several days previous. Here is the 'relevant' information, posted by a rep from Microsoft:
When RFC 2137 "Secure Domain Name System Dynamic Update" was written, it was based on the then-current DNSSEC spec, RFC 2065 "Domain Name Security Extensions". RFC 2535, a re-write of DNSSEC based on implementation and deployment experience, obsoletes RFC 2065. A side-effect of the deprecation of RFC 2065 is the invalidation of RFC 2137. RFC 2137 is not safe for implementation.
Upshot: there is no IETF standard for DNS secure dynamic update.
Two years ago we had to make a call on whether or not we should implement DNSSEC (RFC 2065) in Windows 2000. DNSSEC - which is a public key infrastructure unto itself - is very complex. In our judgment, at the time, it was not ready for implementation and deployment. It followed that RFC 2137 was also not ready for implementation and deployment.
Still, we needed a solution for secure dynamic update. As it happened, the DNSIND working group in the IETF had already recognized that DNSSEC was not appropriate in all situations, and that there was a demand for a lightweight (shared secret) alternative. Two complementary Internet-Drafts were published to satisfy this requirement: "Secret Key Transaction Authentication for DNS (TSIG)", and "Secret Key Establishment for DNS (TKEY RR)".
TSIG and TKEY alone do not solve the key distribution problem inherent in any secret key system. However, both mechanisms allow for extension, which permitted us to publish a third complementary draft, "GSS Algorithm for TSIG (GSS-TSIG)". The GSS-API mechanism enables us to use integrated Windows security to solve the key distribution problem, and ensure our customers will have no additional key management burden associated with secure update.
The GSS-TSIG draft has been available since November of 1997. Microsoft would be happy to assist any vendors who wish to develop an independent, interoperable implementation. We have already demonstrated GSS-API/Kerberos interoperability between Windows 2000 and other GSS/Kerberos implementations (see below for more information).
The DNSEXT working group (a consolidation of the DNSIND and DNSSEC working groups) is currently working on an Internet-Draft to replace RFC 2137. This draft, called "Simple Secure Domain Name System (DNS) Dynamic Update", separates the authentication of an update from the later DNSSEC authentication of the data. The draft acknowledges the TSIG/TKEY method as a way to authenticate updates. When TSIG, TKEY, GSS-TSIG, and Simple Secure Dynamic Update reach standard status, there will be an IETF standard for DNS secure dynamic update.
Microsoft is continuing to evaluate the viability of and demand for DNSSEC/public key-based security for DNS.
Note especially the third paragraph from the end, where MS will gladly 'help' you write a standard:) Cheers
OS News Ran this in early September, with a good link to Mackido's site. Here is is Mackidos take on it. The basics: USB 2.0 is no where near what FireWire offers now! When USB 2.0 hits the streets, FireWire will be even faster. Plus USB 2.0 was designed for low end devices, Mackido discusses why it would be a nightmare for anything else.
Hasdi said, "My advise is to use Microsoft Keyboard and/or Microsoft Mouse. They may make a lame OS but they sure know how to design good hardware."
The keyboard is ok, once you get used to the different layout. That actually doesn't take long, but it does get aggravating when you switch computers several times a day, as do I. It takes a couple seconds to remember what keyboard you are using. My only complaint is the mouse. It may sound dumb, but why are mice 'ergonomicly'(sp?) designed for right hands? Is there a mouse designed to fit the left hand comfortably?
NOTE: Apple, the Apple logo, Macintosh, Mac OS, Power Macintosh and WebObjects are registered trademarks of Apple Computer, Inc. Open Source is a trademark of Apple Computer, Inc.
Who believes Nintendo can actually deliver this product on schedule? Too many rumors in the article, very few facts. Yes it is early in the cycle, but Nintendo is known for their "vaporware" also. Look how often they changed plans on what is now the N64. I'm betting when they do produce N200X (or whatever they call it) Playstation 2 will still destroy it. Did you notice, NCL doesn't like SOny has quality games for their system (while they tend to have few). Oh well, just my own ramlbings.
After watching my fellow office workers as they strain to use MS Office 97, Windows 9x and NT, I can certainly agree with Mr. Amaru's point in Pavlov's Humans. Could that be why Compaq (it was Compaq, was it not?) recently in the MS/DOJ trial said that MS Windows was stable? People think it's stable because they learn each day what causes their computers to crash, and try not to repeat it. Of course, that assumes most people have great memory capabilities.
Slashdot Mirror
Ha ha, trolling, I like that. In fact the only way I ever caught fish was by trolling, but I digress. Yes it doesn't pertain directly to the issue, however I felt it did provide some information regarding Kerberos, so indirectly it helped. Howver I did fail to post all the links at the end of the message, which do mention more of the Kerberos issue. Here they are, if any are interested:
The DNSEXT working group home pageRFC 2065
RFC 2137
RFC 2535
Secret Key Transaction Authentication for DNS (TSIG)
Secret Key Establishment for DNS (TKEY RR)
GSS Algorithm for TSIG (GSS-TSIG)
White paper on Kerberos interoperability
Press release on Kerberos interoperability
S imple Secure Domain Name System (DNS) Dynamic Update
mailing list several days previous. Here is the 'relevant' information, posted by a rep from Microsoft:
:)
When RFC 2137 "Secure Domain Name System Dynamic Update" was written, it was
based on the then-current DNSSEC spec, RFC 2065 "Domain Name Security
Extensions". RFC 2535, a re-write of DNSSEC based on implementation and
deployment experience, obsoletes RFC 2065. A side-effect of the deprecation
of RFC 2065 is the invalidation of RFC 2137. RFC 2137 is not safe for
implementation.
Upshot: there is no IETF standard for DNS secure dynamic update.
Two years ago we had to make a call on whether or not we should implement
DNSSEC (RFC 2065) in Windows 2000. DNSSEC - which is a public key
infrastructure unto itself - is very complex. In our judgment, at the time,
it was not ready for implementation and deployment. It followed that RFC
2137 was also not ready for implementation and deployment.
Still, we needed a solution for secure dynamic update. As it happened, the
DNSIND working group in the IETF had already recognized that DNSSEC was not
appropriate in all situations, and that there was a demand for a lightweight
(shared secret) alternative. Two complementary Internet-Drafts were
published to satisfy this requirement: "Secret Key Transaction
Authentication for DNS (TSIG)", and "Secret Key Establishment for DNS (TKEY
RR)".
TSIG and TKEY alone do not solve the key distribution problem inherent in
any secret key system. However, both mechanisms allow for extension, which
permitted us to publish a third complementary draft, "GSS Algorithm for TSIG
(GSS-TSIG)". The GSS-API mechanism enables us to use integrated Windows
security to solve the key distribution problem, and ensure our customers
will have no additional key management burden associated with secure update.
The GSS-TSIG draft has been available since November of 1997. Microsoft
would be happy to assist any vendors who wish to develop an independent,
interoperable implementation. We have already demonstrated GSS-API/Kerberos
interoperability between Windows 2000 and other GSS/Kerberos implementations
(see below for more information).
The DNSEXT working group (a consolidation of the DNSIND and DNSSEC working
groups) is currently working on an Internet-Draft to replace RFC 2137. This
draft, called "Simple Secure Domain Name System (DNS) Dynamic Update",
separates the authentication of an update from the later DNSSEC
authentication of the data. The draft acknowledges the TSIG/TKEY method as
a way to authenticate updates. When TSIG, TKEY, GSS-TSIG, and Simple Secure
Dynamic Update reach standard status, there will be an IETF standard for DNS
secure dynamic update.
Microsoft is continuing to evaluate the viability of and demand for
DNSSEC/public key-based security for DNS.
Note especially the third paragraph from the end, where MS will gladly 'help' you write a standard
Cheers
OS News Ran this in early September, with a good link to Mackido's site. Here is is Mackidos take on it. The basics: USB 2.0 is no where near what FireWire offers now! When USB 2.0 hits the streets, FireWire will be even faster. Plus USB 2.0 was designed for low end devices, Mackido discusses why it would be a nightmare for anything else.
Hasdi said, "My advise is to use Microsoft Keyboard and/or Microsoft Mouse. They may make a lame OS but they sure know how to design good hardware."
The keyboard is ok, once you get used to the different layout. That actually doesn't take long, but it does get aggravating when you switch computers several times a day, as do I. It takes a couple seconds to remember what keyboard you are using. My only complaint is the mouse. It may sound dumb, but why are mice 'ergonomicly'(sp?) designed for right hands? Is there a mouse designed to fit the left hand comfortably?
Duh, didn't pick that one out. I meant: Open Source is Trademarked by Apple? Nice typo of mine. This was copied from the link supplied by /.
Anyone else think this peculiar?
NOTE: Apple, the Apple logo, Macintosh, Mac OS, Power Macintosh and WebObjects are registered
trademarks of Apple Computer, Inc. Open Source is a trademark of Apple Computer, Inc.
Who believes Nintendo can actually deliver this product on schedule? Too many rumors in the article, very few facts. Yes it is early in the cycle, but Nintendo is known for their "vaporware" also. Look how often they changed plans on what is now the N64. I'm betting when they do produce N200X (or whatever they call it) Playstation 2 will still destroy it. Did you notice, NCL doesn't like SOny has quality games for their system (while they tend to have few). Oh well, just my own ramlbings.
After watching my fellow office workers as they strain to use MS Office 97, Windows 9x and NT, I can certainly agree with Mr. Amaru's point in Pavlov's Humans. Could that be why Compaq (it was Compaq, was it not?) recently in the MS/DOJ trial said that MS Windows was stable? People think it's stable because they learn each day what causes their computers to crash, and try not to repeat it. Of course, that assumes most people have great memory capabilities.