Ok, last time. NTLM is an authentication mechanism that is accessed by the SSPI infrastructure, it's available on Windows platforms (it's also available on *nix platforms, under license from someone who'se name escapes me now, but that's irrelevant). If you're not interested in windows platforms, this is entire discussion is irrelevant.
<IF> you are willing to support Windows platforms, then you have no reason NOT to support SSPI in your authentication logic. If you support SSPI, then you get NTLM support in either your server or client for free. End of issue. And you're right, I <AM> purposely confusing open source with GPL, because so much of the stuff that's covered under other open source licenses is re-licensed under the GPL. Remember, IANAL, my statements below are based on my understanding of the open source issue as I understand the materials made available to employees by Microsoft's legal department. For example, the TCP/IP stack in Linux is covered by the BSD license, but since code in the TCP/IP stack shows up in a Linux distro that's covered by the GPL, a lawyer could argue that work done on the BSD TCP/IP stack that eventually makes its way into a Linux distribution is ALSO covered by the GPL. So for all intents and purposes, the GPL (which is the most restrictive of the open source licenses) could be construed to cover all the other open source licenses. The law is ambiguous, but Microsoft Legal feels that if a Microsoft employee or contractor does work on software that is distributed in a GPL distribution, then ALL of the work done by that employee, even the work done at Microsoft may be covered by the GPL. The problem is that concepts that appear in the work done under GPL may reflect work that was done for Microsoft (or snippets of code, or classes, or whatever), and vice versa - it is possible that some clever idea found in an open source distribution might make it back into a Microsoft commercial product. And if that happens, then the rules of the GPL are such that the entire Microsoft commercial product must be made open source, which is a bad thing for a commercial software vendor. If you come back and say "but that's just because Microsoft employees are weenies that can't have an original thought", I'll point out that there was a period of about 8 years back in the 80's and 90's when Microsoft received a significant amount in royalties from a major competitor because one of the developers in that major competitor saw Microsoft licensed source code under NDA and accidentally included the concepts embodied in the code in the competitors product. It DOES happen, and it CAN cause massive problems for a commercial vendor. Larry Osterman -----Original Message----- From: Pete Naylor [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 1:50 PM To: Larry Osterman Cc: Marek Kowal; [EMAIL PROTECTED] Subject: Re: Outlook express AUTH command Larry Osterman wrote... > There must be interest in adding NTLM support, Marek asked if there are > open-source servers that support NTLM. I said nobody wanted it badly enough - yes Marek is one of the few who are interested - we'll have to wait and see if he contributes any patches to add NTLM authentication to open source projects. > If I could contribute patches > without losing my job, I would, but since I'll be fired if I contribute > patches to an open source project, I'll respectfully decline Wow - where can I apply? I'm sure that with such a terrific environment I could turn out really high quality software. It seems that your employer isn't very interested in supporting interoperability with open source software at all. > (if you > really care, we can discuss what the GPL does to the ability of > professional software developers to contribute to GPL licensed projects > OFFLINE). No thanks - I have no interest in the GPL. I do find it interesting that you use GPL interchangably with "open source" though. > Immediately below the .DOC file that you point out is a "Get Office file > viewer" link. If you follow that link, you will be pointed to the page > that includes the stand-alone word file viewer, it runs on any Win32 > platform. Please look a little closer before you flame. Sit down and take a deep breath Larry... I don't have a Win32 platform. The documentation you offered is not very accessible, and represents a hurdle. Again, I wonder just how interested you and your employer are in wide acceptance of NTLM. > And I gave you a pointer to the first on-the-web version of the > documentation I found. If you want a different one, try > http://search.microsoft.com/gomsuri.asp?n=2&c=rp_Results&siteid=us/dev&t > arget=http://msdn.microsoft.com/library/en-us/security/Security/sspi_fun > ctions.asp Thank you, but there doesn't appear to be a good description of NTLM as an authentication mechanism there at all - just more layers of proprietary obfuscation. I will need documentation of how I can implement the NTLM mechanism such that this added functionality in my software will be available for all target platforms. > This is NOT rocket science - it took me all of 45 seconds of looking at > the msdn.microsoft.com web site to find it. Let me know when you find a URL for an RFC. Until that time, I think we're just wasting everyone's time with old information - for a while there I thought you genuinely wanted to see NTLM adopted as an IMAP authentication mechanism in more open source projects. -- Pete Naylor
