[1602] in Kerberos
Re: DCE kerberos vs. MIT
daemon@ATHENA.MIT.EDU (Joe Pato)
Tue Oct 8 15:52:12 1991
From: pato@apollo.com (Joe Pato)
Date: Tue, 8 Oct 91 14:03:26 EDT
To: athey@lorien.ocf.llnl.gov (Charles L. Athey III)
Cc: kerberos@Athena.MIT.EDU
In-Reply-To: athey@lorien.ocf.llnl.gov (Charles L. Athey III), fri, 4 oct 91 20:09:24
What is the state of DCE's version of Kerberos V vs. MITs?
Is DCE's in the same not quite complete state that the
MIT beta release is?
We are supposed to receive the DCE package in Dec '91 and I
would like to know if I should spend time working on MIT's
version of Kerberos V or just wait for the DCE package -
both from an implementation standpoint and from a political
one of which one vendors are going to pick-up.
Chuck Athey
The DCE security component includes version of Kerberos V5 that has tracked the
MIT implementation, but is not exactly the same. It is based on MIT's beta1
distribution with a number of bug fixes and other changes (including more
recent protocol changes for V5). Many of the bug fixes have been or will be
shared with MIT - but not all of the enhancements. The database and
replication implementation is entirely different as are the management
interfaces and tools.
The DCE security component includes substantially more than Kerberos. A DCE
site cannot run with a vanilla Kerberos implementation from MIT - it must run
with the OSF DCE implementation. Applications linked against the MIT beta1
code, however, can run in a DCE cell (read "realm") unchanged. It is our
intent to preserve compatibility for "off the shelf" MIT Kerberos applications
but we cannot guarantee that this will remain true after DCE has shipped and
MIT continues to evolve their implementation. We don't expect any more
protocol changes - but it is possible that the format of certain local files
like the credential cache could change thereby breaking interoperability. We
plan to continue working with MIT to avoid this problem.
Portions of the MIT package are not included in the DCE code. These portions
include: the database code, MIT admin tools, gssapi, sample applications,
Kerberos 4 compatibility API. In addition binary versions of the DCE will
generally not expose the MIT V5 API - though source licensees are free to make
this available.
If you plan to use a vendor's DCE environment, then you should wait for the DCE
package. Many vendors have already announced support for the DCE. I don't
know how many intend to support a vanilla MIT Kerberos V5 implementation.
-- Joe Pato
Cooperative Object Computing Division / East
Hewlett-Packard Company
pato@apollo.hp.com
-------
