Kerberos vs. LDAP for authentication -- any opinions?

Dr. Greg Wettstein greg at wind.enjellic.com
Sat Jan 31 13:41:01 EST 2004


On Jan 30, 11:05am, Peter Honeyman wrote:
} Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?

Good afternoon to everyone, hope that your respective weekends are
going well.  Just a note before I head out with the Golden Retriever
for an afternoon of x-country skiing in the new snow.

I hope the following attributions are correct.  Additional comments
below.

> > On Jan 29,  8:45am, "Douglas E. Engert" wrote:
> > } Subject: Re: Kerberos vs. LDAP for authentication -- any opinions?
> >
> >> Many of the Browser issues can be addressed by Kx509 from the
> >> Univrsity of Michigan. It can obtain a short term X509 certificate
> >> using Kerberos for authenticaiton. The certificate and key are then
> >> stored so the browser can use it with SSL to any web server. It works
> >> with IE and Netscape on Windows. It runs on UNIX and Mac as well.
> >>   http://www.citi.umich.edu/projects/kerb_pki/
> >
> > Didn't Whit Diffey file a patent which covered the concept of using
> > short-term certificates as authentication brokers?
> >
> > If so does the Kx509 stuff have some sort of divine absolution with
> > respect to it?

> a search on the patent office shows only two patents with diffie listed  
> as an inventor: diffie-hellman, and "Method and apparatus for privacy  
> and authentication in wireless networks" which doesn't seem to apply.
> 
> i have cc'ed greg wettstein for clarification.

I just checked my archived e-mail and notes on this.  My remembrance
of this stuff was from when I was involved with an ill-fated startup
centered around my IDfusion technology for, interestingly enough with
respect to this thread, inherently secure directory based
authorizations.

The patent that I was remembering was not by Whit Diffey rather it was
by a company (Arcot) who has Dr. Hellman on their Board of Directors.
Guilt by association I guess.... :-)

For anyone who is interested the relevant patent is #6,263,446 issued
to Kausik et.al on July 17th, 2001.  The patient is titled 'Method and
apparatus for secure distribution of authentication credentials to
roaming users.'  I have snipped and pasted the abstract below:

	A roaming user needing an his authentication credential (e.g.,
	private key) to access a computer server to perform an
	electronic transaction may obtain the authentication
	credential in an on-demand fashion from a credential server
	accessible to the user over a computer network. In this way,
	the user is free to roam on the network without having to
	physically carry his authentication credential. Access to the
	credential may be protected by one or more challenge-response
	protocols involving simple shared secrets, shared secrets with
	one-to-one hashing, or biometric methods such as fingerprint
	recognition. If camouflaging is used to protect the
	authentication credential, decamouflaging may be performed
	either at the credential server or at the user's computer.

Before I get jumped on let me state clearly and for the record that I
don't mean to suggest that Kx509 is infringing or the above is even
relevant.  After my experiences, believe me, I can write a book on why
anyone who is even remotely interested in seeing open-source or
open-protocol solutions succeed want nothing to do with this patent
mess.

It would take a boatload of attorneys to actually figure out whether
the above is relevant with respect to Kx509.  The cost of something
like that is probably why the whole patent scene is as dangerous as it
is.

The notion of solving the portability problem of PKI by accessing a
private key and/or certificate at demand time is a relevant problem.
Thats why the above patent has always given me pause when I think
about architectures such as Kx509.

> 	peter

Best wishes for a pleasant weekend to everyone.

Greg

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"Open source code is not guaranteed nor does it come with a warranty."
                                -- the Alexis de Tocqueville Institute

"I guess that's in contrast to proprietary software, which comes with
 a money-back guarantee, and free on-site repairs if any bugs are found."
                                -- Rary


More information about the Kerberos mailing list