Kerberos Rant

Tom Medhurst tom.medhurst at googlemail.com
Wed Apr 7 05:14:47 EDT 2010


Thanks for your comments Marcus.

I apologies I am not totally familiar with the infrastructure of this
newgroup's users! I entered this newgroup via the MIT Kerberos web site and
assumed (incorrectly) that the purpose of this newgroup was devoted to MIT's
implementation of the protocol.

Tim has kindly educated me of the various uses of MIT's implementation
inside an Enterprise. So I realise my comment regarding the bosses
girlfriend may have come across a little sarcastic.

I wasn't intentionally attempting to flame Microsoft (although I work with
their products daily, and with the exception of Exchange and AD I have very
little praise for them; so the undertones may have been laid
unconsciously?), my main issue is the cost of their licenses. I want to help
startup companies setup fast and feasible infrastructure without having to
pay out tens of thousands for equipment and software. In the current
climate, I believe this could be the difference between a small company
surviving or not! I need an open source way of providing homogeneous
authentication otherwise I am unable to achieve my goals.

Microsoft make very strong, conscious decisions which I cannot fault from a
business POV; but they often screw the little interop companies without a
second thought. I am indeed very aware of this.

Although my labour has exceed the cost of the M$ Server OS (I said this to
prove a point which is still relevant), I am still not planning on giving up
on FOSS and moving to using Microsoft AD.

Many Thanks,
Tom

On Wed, Apr 7, 2010 at 10:00 AM, Marcus Watts <mdw at umich.edu> wrote:

> ...
> > My complaint is the Kerberos project is all about a security protocol.
> One
> > which can be used to replace the standard user authentication system of
> the
> > OS. Now it doesn't matter how Unix-friendly a company is; at some point
> in
> > time they will want/need to connect a Windows machine to their network
> (for
> > arguments sake, say the bosses new girlfriend has a Windows laptop) and
> > risk assessors will think of scenarios like this before using a
> technology.
> > If you can't cater for Windows' vast market share; you are no longer a
> > viable option!!
> ...
>
> What?  The folks on this mailing list do not all work at one place.
> Some of those places have large ms windows infrastructures, and there
> is a wide variety of different ways of marrying windows, unix, and other
> machines, with varying properties.  Of course, some of us are also in
> the happy position of being able to largely ignore ms windows.
>
> If you're talking specifically about MIT kerberos (and not just about the
> protocol), um, well, I believe MIT is a private educational institution,
> which has slightly different goals than a large commercial corporation.
> Your bosses new girlfriend might not fit those goals the way you think.
>
> Perhaps you intended to flame MicroSoft?  For *most* of the people on this
> list I venture to say there's little we can do to make your MicroSoft
> experience better.  That is because very few of us are in a position to
> directly influence the choices MicroSoft makes.  And MicroSoft, being
> a commercial company, does make decisions accordingly to its perceived
> commercial interests.  One of the choices I found peculiar was their
> decision not to backport AES support to XP and older versions of windows.
> Presumably they don't see why their customers shouldn't just rush out and
> upgrade to Vista.  I'm sure they'll feel mostly comfortable when you say
> that the "*Winblows* Server OS" choice is cheaper and easier to deploy.
> This might not be what you want them to hear.
>
>                                -Marcus Watts
>



More information about the Kerberos mailing list