Globus/GSI versus Kerberos

Ken Hornstein kenh at cmf.nrl.navy.mil
Thu Jul 7 10:53:49 EDT 2005 

>I was curious if anyone has any comments (personal/political/technical) 
>or could point me to a decent resource comparing Globus versus 
>Kerberos.  I've had to work with Globus quite a bit, and the overall 
>trend in the existing GSI-based research grids is to move towards 
>centrally managed cert/key repositories despite the pure GSI notion of 
>keeping everything distributed.  There's a handful of new research 
>projects that basically take GSI and add that "centralized" portion, 
>although in my opinion it's starting to resemble a Kerberos 
>architecture.

Back in 1999 during a meeting about inter-operable authentication (it
was actually _at_ SDSC, interestingly enough), Globus was just starting
up (this was back when Legion was still considered a viable alternative
instead of the PhD generator everyone considers it now).  The Globus
guys gave a presentation on their authentication infrastructure, and
I pointed out that they had just reinvented a lot of Kerberos, and asked
them, "How come you guys didn't just use Kerberos?".

I was given what I can only politely say was a song and dance about
Kerberos cross-realm being "too tightly bound to each other", and they
preferred the "looseness" of certificate chaining, whatever that means.

When I cornered one of the Globus guys and asked him point-blank the
same question, he told me that in his opinion the decision to do PKI
was really driven politically from the top, and he thought Kerberos
made a LOT more sense.

In a more practical vein, I will note that Sandia uses (or at least
used to use) Globus with a Kerberos GSSAPI backend instead of the GSI
backend.  This was a few years ago, so I don't know what they're doing
now.  However, they told me that they were still using Globus 1, and
that doing Globus 2 was going to be a real bear because of the changes
they made to the GSSAPI layer for Globus 2 (even doing Globus 1 with
Kerberos required some GSSAPI changes which never made it back to any
of the open-source distributions).  I dunno if they ever went to Globus
2 or not (I made be remembering the version numbers wrong, but to me
this was the gist of what Pat Moore told me).  This to me illustrates
one of the problems with the GSSAPI ... to do the real interesting stuff,
you end up having to dig down into mechanism-specific extensions and
you lose the "generic" part of GSSAPI.

--Ken

More information about the Kerberos mailing list