[282] in Info-AFS_Redistribution
Re: AFS, Kerberos and OSF/DCE
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Thu Aug 15 16:23:38 1991
Date: Thu, 15 Aug 91 15:28:02 -0400
From: Bill Sommerfeld <wesommer@athena.mit.edu>
To: Mike Gahan <ccaamrg@ucl.ac.uk>
Cc: info-afs@transarc.com
In-Reply-To: Mike Gahan's message of Thu, 15 Aug 91 11:15:30 +0000,
Speaking as one of the people working on security for DCE (in my other
life at sommerfeld@apollo.hp.com)
We are under immense pressure from marketing and management to get
*something* out the door. Marketing and management do not perceive
interoperatbility with non-DCE kerberos implementations as a priority
(if you want to change this, talk to OSF..), but I and other engineers
do.
DCE security is layered on top of Kerberos V5, using the MIT
implementation as modified by HP, plus a relatively large amount of
other code. Those using DCE when it comes out will either have to use
the DCE security server as their KDC, or make moderately extensive
modifications to the DCE security server to get it to use the MIT KDC.
We orignally planned to include those modifications in DCE, but they
were not considered high priority work, and so they were bumped from
the schedule. If you want to see this in a later release of the DCE,
talk to the OSF and ask them for this support. Note, however, that
current export restrictions may prevent us from shipping it to you
without an appropriate export license.
AFS 4.0 will use the DCE security mechanism, not a V4-based mechanism.
MIT kerberos clients and servers should work with the DCE KDC, and it
should be possible for a DCE KDC to exchange inter-realm keys with a
non-DCE KDC, although extensive interoperability testing has not
occurred yet.
- Bill
