Kerberos vs. LDAP for authentication -- any opinions?

Douglas E. Engert deengert at anl.gov
Mon Feb 2 16:27:22 EST 2004


I would say kx509 is not covered by the patent, The KCA is not
a repository for a users certificate and private key.  Kx509 generates
a new keypair each time it is called and sends a X509 request with the 
public key to the KCA which signs the request creating a new certificate 
each time.  This is it not a key repository. The KCA never sees the 
private key. The private key does not go over the network.  

But, based on the snippet you sent, storing the private key in a 
authenticated encrypted distributed file system so the user could retrieve 
it might be covered by the patent! Which would make me believe the patent 
might not hold up. 
 

Anyway, I was not trying to get into a patent discussion, I was pointing
out that kx509 is a great way to use Kerberos authentication with existing
browsers and web servers. 


"Dr. Greg Wettstein" wrote:
> 
> On Jan 30, 11:05am, Peter Honeyman wrote:
> } Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?
> 
> Good afternoon to everyone, hope that your respective weekends are
> going well.  Just a note before I head out with the Golden Retriever
> for an afternoon of x-country skiing in the new snow.
> 
> I hope the following attributions are correct.  Additional comments
> below.
> 
> > > On Jan 29,  8:45am, "Douglas E. Engert" wrote:
> > > } Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?
> > >
> > >> Many of the Browser issues can be addressed by Kx509 from the
> > >> Univrsity of Michigan. It can obtain a short term X509 certificate
> > >> using Kerberos for authenticaiton. The certificate and key are then
> > >> stored so the browser can use it with SSL to any web server. It works
> > >> with IE and Netscape on Windows. It runs on UNIX and Mac as well.
> > >>   http://www.citi.umich.edu/projects/kerb_pki/
> > >
> > > Didn't Whit Diffey file a patent which covered the concept of using
> > > short-term certificates as authentication brokers?
> > >
> > > If so does the Kx509 stuff have some sort of divine absolution with
> > > respect to it?
> 
> > a search on the patent office shows only two patents with diffie listed
> > as an inventor: diffie-hellman, and "Method and apparatus for privacy
> > and authentication in wireless networks" which doesn't seem to apply.
> >
> > i have cc'ed greg wettstein for clarification.
> 
> I just checked my archived e-mail and notes on this.  My remembrance
> of this stuff was from when I was involved with an ill-fated startup
> centered around my IDfusion technology for, interestingly enough with
> respect to this thread, inherently secure directory based
> authorizations.
> 
> The patent that I was remembering was not by Whit Diffey rather it was
> by a company (Arcot) who has Dr. Hellman on their Board of Directors.
> Guilt by association I guess.... :-)
> 
> For anyone who is interested the relevant patent is #6,263,446 issued
> to Kausik et.al on July 17th, 2001.  The patient is titled 'Method and
> apparatus for secure distribution of authentication credentials to
> roaming users.'  I have snipped and pasted the abstract below:
> 
>         A roaming user needing an his authentication credential (e.g.,
>         private key) to access a computer server to perform an
>         electronic transaction may obtain the authentication
>         credential in an on-demand fashion from a credential server
>         accessible to the user over a computer network. In this way,
>         the user is free to roam on the network without having to
>         physically carry his authentication credential. Access to the
>         credential may be protected by one or more challenge-response
>         protocols involving simple shared secrets, shared secrets with
>         one-to-one hashing, or biometric methods such as fingerprint
>         recognition. If camouflaging is used to protect the
>         authentication credential, decamouflaging may be performed
>         either at the credential server or at the user's computer.
> 
> Before I get jumped on let me state clearly and for the record that I
> don't mean to suggest that Kx509 is infringing or the above is even
> relevant.  After my experiences, believe me, I can write a book on why
> anyone who is even remotely interested in seeing open-source or
> open-protocol solutions succeed want nothing to do with this patent
> mess.
> 
> It would take a boatload of attorneys to actually figure out whether
> the above is relevant with respect to Kx509.  The cost of something
> like that is probably why the whole patent scene is as dangerous as it
> is.
> 
> The notion of solving the portability problem of PKI by accessing a
> private key and/or certificate at demand time is a relevant problem.
> Thats why the above patent has always given me pause when I think
> about architectures such as Kx509.
> 
> >       peter
> 
> Best wishes for a pleasant weekend to everyone.
> 
> Greg
> 
> As always,
> Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
> 4206 N. 19th Ave.           Specializing in information infra-structure
> Fargo, ND  58102            development.
> PH: 701-281-1686
> FAX: 701-281-3949           EMAIL: greg at enjellic.com
> ------------------------------------------------------------------------------
> "Open source code is not guaranteed nor does it come with a warranty."
>                                 -- the Alexis de Tocqueville Institute
> 
> "I guess that's in contrast to proprietary software, which comes with
>  a money-back guarantee, and free on-site repairs if any bugs are found."
>                                 -- Rary
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list