[3433] in Kerberos
Re: Kerberos and DCE
daemon@ATHENA.MIT.EDU (Joseph N. Pato)
Fri Jun 17 11:20:21 1994
Date: Fri, 17 Jun 1994 11:07:51 -0400
To: dcrocker@mordor.stanford.edu (Dave Crocker)
From: pato@apollo.hp.com (Joseph N. Pato)
Cc: eric@atrium.com (Eric J. Rothfus), kerberos@MIT.EDU
At 16:05 6/16/94 -0700, Dave Crocker wrote:
>Joseph,
>
>The beginning of your most recent message went on at some length about
>nomenclature and explaining that DCE security has more functionality than
>MIT's base Kerberos system. Let me reiterate that none of that has
>anything to do with the question of interoperability; hence, there's no
>benefit in pursuing such detail.
>
Sigh, I suppose I should have already stopped....
I tried to be clear - the two systems are not the same. To make it clear
that the question of interoperability must be limited to the aspects of the
two systems that are common I tried to outline where the differences lie.
RFC 1510 is where DCE and Kerberos overlap. Both MIT's implementation and
the DCE (and to my knowledge other commercial implementations claiming to
be "Kerberos") implement RFC 1510.
RFC 1510 is defined over a UDP/IP transport on port 88. The specification
has allowances for definition over other transports in the future - but the
last time I read it I only saw how it was realized over UDP/IP.
The DCE adds additional transports.
The DCE implementation "prefers" alternate transports, but both client and
server will use UDP/IP as defined in RFC 1510 when it is the "best"
alternative.
This choice is part of the DCE implementation code and is transparent to
applications (client or server) that use the DCE runtime libraries.
>
>Right. As long as the application doesn't use the DCE enhancement
>(authorization) things are the same. But what if it does use the
>enhancement?
>
If applications need the enhancements then they need the DCE.
- joe
