[Mitkc-announce] Good news about kerberos

Stephen Buckley sbuckley at mit.edu
Thu Jan 7 12:08:43 EST 2010 

Dear friends,

I'm happy to announce two pieces of great news.

First, Red Hat has joined the Kerberos Consortium.  Red Hat will take  
a seat on our executive advisory board, along with Microsoft, MIT,  
and Sun Microsystems.  Our next meeting will be held March 1st, 2010  
in San Francisco.

Second, I'm also pleased to announce that Kerberos 1.8 has entered  
the alpha test phase, and we anticipate making a final release by  
March 1st, 2010.

We have made made major improvements in the quality and readability  
of our code, and its encryption performance.

We have introduced greater modularity that allows the cryptographic  
implementations from various providers to be used in lieu of MIT  
Kerberos custom cryptography.  This is important for organizations  
that need to need to meet FIPS compliance requirements.

We have also completed two extensions to the Kerberos protocol,  
S4U2Self, or protocol transition, which enables a service to acquire  
a ticket from an arbitrary principal to itself, and S4U2Proxy, or  
constrained delegation, which enables a service to use a client's  
ticket to itself to request another ticket for delegation.

We have also enhanced our implementation of FAST, which is a pre- 
authentication framework for Kerberos that includes a mechanism for  
tunneling pre-authentication exchanges using armored KDC messages.  
FAST provides increased resistance to passive password guessing attacks.

We have also implemented anonymous PKInit, which allows users to  
obtain Kerberos tickets even if they have no principal registered in  
a realm. Use cases include hiding identity of a user for privacy,  
using FAST without registering a host, or automated registration of  
hosts.

We have also introduced the capability in MIT Kerberos to dynamically  
load Heimdal database (HDB) backends, or dump a Heimdal database for  
migration to a native MIT KDB backend.

Lastly, by popular demand from the higher education community, 1.8  
provides principal lockout functionality similar to that of Active  
Directory.

More details on this release are available on our wiki.

Many thanks to all the developers who worked so hard on this alpha  
release, and also to you, our sponsors, for the support that made it  
possible.

We are interested in your feedback on 1.8, and also requests for  
features and improvements in the 1.9 release which is due to come out  
this December.

Kind regards and Happy New Year.

s

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Stephen C. Buckley
Kerberos Consortium
Massachusetts Institute of Technology
http://www.kerberos.org




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitkc-announce/attachments/20100107/725ab8e0/attachment.htm

More information about the MITKC-Announce mailing list