Kerberized authorization service

John Hascall john at iastate.edu
Mon Feb 11 13:11:26 EST 2008



Russ Allbery <rra at stanford.edu> writes:
> Stanford currently very much loses on this, in a wide variety of ways.  We
> really only have one authorization system that copes correctly with role
> status changes (provided that it's used properly), and it only knows how
> to talk to the financial system and isn't (currently) usable as a general
> authorization solution.  There is some active work in the Internet2 arena
> on this, but not to the point where I think people are deploying it.

   The problem with the Internet2's work in this area
   (i.e., Signet and Grouper) is that
   they seem like they've never met a problem
   that they didn't think the answer to it was:

    while (problem) {
      Throw the most complicated XML and Java possible at it.
    }

    (And they forgot to catch deathByBloatAndComplexityException)

John



More information about the Kerberos mailing list