Can Kerberos Remain an Open Standard?
Mark Edwards talks about Microsoft's implementation of Kerberos authentication and how it deviates from IETF standards.
March 8, 2000
I'm sure you're aware of networking standards such as HTML, POP3, FTP, Kerberos, and more. But did you know that a formal body known as the Internet Engineering Task Force (IETF) governs these standards? The IETF helps govern the development and standardization of protocols so that software developers can create interoperable software based on those standards. Because of IETF oversight, various Internet clients, such as Web browsers, work in basically the same manner. You don't need a Netscape Web browser to communicate with a Netscape Web server—any Web browser will work.
When developers use IETF specifications to create a product, users expect that product to work in the same manner as other products based on IETF specifications; however, that's not always the case. Sometimes, a development team will deviate from the specifications for its own benefit, to the detriment of the user community. Microsoft's implementation of Kerberos authentication is such a case. The implementation deviates from IETF specifications, and various people in the industry are understandably angry.
The problem is Microsoft's use of the data authorization field. All major Kerberos implementations except Microsoft's implementation leave this field blank. Microsoft uses the field to provide access privileges for a given user when that user authenticates against a Windows 2000 (Win2K) server. Because the field has no specific use in other major Kerberos implementations, Microsoft's use of the field seems harmless; however, Microsoft has refused to publish details about its proprietary implementation of the data authorization field. Also, Microsoft intentionally avoided usual IETF protocol when deviating from the Kerberos specifications.
According to Microsoft's Win2K Product Manager Shanen Boettcher, the company is merely using a previously unused data field. But Boettcher failed to state why Microsoft bypassed proper IETF channels. Futhermore, Boettcher couldn't say whether Microsoft would release documentation regarding proper use of the data authorization field. In other words, third-party Kerberos developers are out of luck if they want to fully and directly support Win2K clients. Furthermore, businesses that have already invested heavily in UNIX-based Kerberos solutions have only one choice if they intend to directly support Win2K clients: buy Windows 2000 Server (Win2K Server) and pay for an integration.
Microsoft participates with the IETF in creating standards, but the company didn't bother showing any goodwill in this case. Developers made changes to Kerberos without consulting the IETF. Who benefits from such action? To date, Microsoft has refused to document its Kerberos changes. Who benefits from that action? I'm not the only person who finds this situation highly suspicious. What's your opinion? Stop by our home page and take our poll regarding this matter. Until next time, have a great week.
About the Author
You May Also Like