See below:
-----Original Message-----
From: Zafar Baig [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 17, 2002 1:45 PM
To: David Lawler Christiansen (NT)
Cc: [EMAIL PROTECTED]
Subject: RE: Kerberos on the webResending my message to highly Mr. Christiansen in the "To" box as it was originally addressed to him. I had addressed it to everyone in my previous send. Anyway everyone, please feel free to comment.Thanks and sorry for the repeat.-------Backgrounder: I am a technical engineering person who has worked on the MIT krb5 standard on various win32, unix and linux platforms for several years now. Most of these are through very large scale mission criticial security server deployments with OSF/opengroup DCE (fyi...DCE has been going hand-in-hand with krb5 for a really long time now). A 100% interoperability is a major concern for scalable systems otherwise it becomes a "my way or the highway" situation. I spend little time developing krb5 apps but I work pretty deep into the system level code.I am looking forward to knowing the technical answers for the speculative or misleading statements (or "lies") from that article. I won't look at magazines or .Net's Passport (krb5) reviews for this analysis. Let us truely analyze the system without bias and see how cool it may or may not be.
This is answered in my reply to Wyllys
Ingersoll.
First....What is the latest situation with Krb5 on win2k in terms of interoperability overhead (especially when considering the proprietary PAC stuff)?
I'm not sure what you mean by
"interoperability overhead." We are aware that some implementations have
problems with tickets larger than the MTU for their network (UDP fragmentation),
and/or don't implement the TCP interface to the KDC. Other than that, I
don't know what else would fall under the category of "overhead"
We commonly test against the MIT distribution and have tested
against other implementations (such as
cybersafe's) intermittently. We take any interoperability problem very
seriously, and issue hot fixes as the need arises.
I know that MS has been pushing for it's "Federated" Kerberos through (project liberty) but what is the latest situation on licensing and open source?
Microsoft is certainly interested in using
Kerberos to solve some of the needs for federated identity and
authentication. In fact, I think that this forum would be supportive of
moving Kerberos into new areas. It is way too early for specifics on
licensing, however. The currently public information is at http://www.microsoft.com/PressPass/features/2001/sep01/09-20passport.asp . As more things become
"solid', more information will be
released.
How many auth requests can a krb5 Win2k server take and what will be the % uptime?
That's not a meaningful question without some
idea of the hardware it was running on, the size of the account database,
etc. We run most of our perf tests on directories with 100K - 1M users, so
that we can push the whole system (not just test the KDC if the accounts were
all in cache, for example). We also run the perf tests on 1p, 2p, 4p and
8p machines with varying amounts of memory,
etc.
The media is only a tool to spread the word/hype around. I will look at the MS-krb5 code myself if I can get it. How/when can I get this?
Microsoft source code is available for inspection under a Non Disclosure
Agreement (NDA) along with a Source Licensing agreement. The details can
be found at http://www.microsoft.com/licensing/sharedsource/default.asp
�Your answers to these question will pretty assert the big picture.Z
