[3439] in Kerberos
Re: Kerberos and DCE
daemon@ATHENA.MIT.EDU (Dave Crocker)
Sat Jun 18 00:13:37 1994
Date: Fri, 17 Jun 1994 20:54:22 -0700
To: pato@apollo.hp.com (Joseph N. Pato)
From: dcrocker@mordor.stanford.edu (Dave Crocker)
Cc: eric@atrium.com (Eric J. Rothfus), kerberos@MIT.EDU
At 8:07 AM 6/17/94, Joseph N. Pato wrote:
>I tried to be clear - the two systems are not the same. To make it clear
>that the question of interoperability must be limited to the aspects of the
>two systems that are common I tried to outline where the differences lie.
Joseph, I appreciate the effort at clarification that you are making. The
reason that I keep taking exception is that the existance of ANY meaningful
difference automatically eliminates the possibility of "interoperability".
The fact that OSF's code is written to support both the DCE security
services and the MIT Kerberos services is well and good, but it has nothing
to do with interoperability between DCE and Kerberos. It has to do with
the OSF code supporting two similar, but different, services.
On most Unix systems, there is support for Telnet and for rlogin, as well
as for FTP and for rcp. However, no one would claim that FTP and rcp
"interoperate" or that telnet and rcp "interoperate". They would say that
the Unix system in question supported two similar but different services.
In this case, the two similar but different services happen to have major
similarities, since one is based on the other, but they are nonetheless
different services.
>The DCE adds additional transports.
While the model intends the view of "additional" transports, the reality is
that DCE uses one transport environment (DCE RPC) and MIT Kerberos uses
another (UDP). Different, not additional.
>The DCE implementation "prefers" alternate transports, but both client and
>server will use UDP/IP as defined in RFC 1510 when it is the "best"
>alternative.
Huh? Is this in the formal DCE spec (the one which isn't published yet
because it's under review by X/Open)? I.e., does the DCE Security Services
specification dictate use of BOTH DCE enhancements AND regular MIT K5?
Please don't tell me about code; tell me about protocol specification.
>>Right. As long as the application doesn't use the DCE enhancement
>>(authorization) things are the same. But what if it does use the
>>enhancement?
Ahh. As long as the benefits of DCE are not required, then the service
defaults to regular MIT K5, except for its being transported over UDP?
Dave
+1 408 246 8253 (fax: +1 408 249 6205)
