[826] in Kerberos
Re: kerberos and the ISO protocol standards
daemon@ATHENA.MIT.EDU (NESSETT@CCC.NMFECC.GOV)
Wed Dec 13 16:00:15 1989
From: NESSETT@CCC.NMFECC.GOV
To: KERBEROS@ATHENA.MIT.EDU
Quoting Robert Cole, Karl Auerbach writes:
>> Thus it is not possible to 'standardise' kerberos, nor really possible
>> to specify its use in a standard.
> ???? Has the "standards" process reached the point where existing work
> is not elegible? Rather a "standard" must be new? Is somebody
> suffering from not-invented-here syndrome?
I believe Karl quotes Robert Cole out of context. The full quotation reads :
> Thus it is not possible to 'standardise' kerberos, nor really possible
> to specify its use in a standard. But it is possible to contribute to
> the standards activities in the area and to ensure that the resulting
> standards meet the requirements which Kerberos was designed for.
Standards are by nature agreed upon by a wide community. Participation in the
standards process guarentees only that your views will be heard and that your
requirements will be met (if they don't conflict with other requirements).
In the case of security in distributed systems, there is already a standard
that provides a foundation upon which can be built systems with the
functionality of kerberos. This is the X.509 standard, which forms part of
the X.500 directory service standard, and which uses public-key encryption to
sign 'certificates' binding a user's name with a public-key. Implementations
of X.509 are in approximately the same stage of development as kerberos,
although slightly behind.
While the developers of kerberos are to be congratulated for their industry and
appreciation of the significance of the distributed systems security problem,
the certificate approach is much more likely than kerberos to be used in ISO
standards.
Dan Nessett
