Upcoming KfW 3.x ??

Jeffrey Altman jaltman at secure-endpoints.com
Thu Jan 7 17:19:12 EST 2010 

On 1/7/2010 2:38 PM, Jeff Blaine wrote:
>>> I'd love to be a tester, but unfortunately I need to run the
>>> version our users have in order to troubleshoot things.
>> Without being a tester, you won't be able to ensure that the next
>> release works
>> the way you want it to in your environment.   Unless you are providing
>> funding or
>> some in-kind assistance in the development, why should I spend my time
>> answering
>> your e-mails when you have trouble?
>
> I guess you shouldn't (?)
>
> Perhaps you could explain Secure Endpoints' role in KFW
> development?  Last I heard from a link on your website,
> MIT was hiring a full-time developer for KFW.  Did that
> not happen?

Secure Endpoints does not have a role with regards to MIT's distribution
at the present time.  We support a private distribution of KFW for our
support
customers that has provided 64-bit and Vista/2008 (and now Win7/2008-R2)
support
for some time.   Patches that we have implemented have been given to
MIT.  However,
we are not involved in their release process. 

MIT KFW 3.2.3 Alpha (which I can no longer find on the MIT web site) roughly
equates to the distribution Secure Endpoints has been shipping to it
clients.

> If I install NIMv2 and report in detail on what I find in
> our environment, does that give me credits to use?
It would be a start.  Thank you for the beer money as well.

>>> Another aside, what release will have krb4 cred obtaining
>>> disabled by default?
>>
>> Any release you want.  As I have said before, you can use a transform to
>> configure
>> the MSI installer to disable Kerberos v4.   You can do this today
>
> I am asking when the decision might be made to turn it off by
> default in the master distribution, of course.  I already saw
> and read your previous response.

64-bit distributions of MIT KFW do not include Kerberos v4 at all.   At
this point if I were
to issue a significant update (for example a bundle of Network Identity
Manager v2 and
Kerberos v5 1.8) I would leave it out on 32-bit platforms as well.  
Kerberos v4 support
should continue to be available as a separate distribution for those
sites that require it.
However, to my knowledge neither MIT Kerberos 1.7 nor the 1.8 which was
announced
today builds on Windows. 

The annual cost of developing MIT Kerberos for Windows and Network
Identity Manager
is roughly $175,000.   The vast majority of the work that Secure
Endpoints has done on
NIM over the last two years has been unfunded.   I suspect the reason
that the MIT Kerberos
Consortium has not focused significant energy on the Windows platform is
because their
commercial board members (Microsoft, Red Hat, and Sun Microsystems) are
not interested
in financing the development of the MIT APIs on the Windows platform. 
Microsoft has a
strong interest in seeing applications use the Win32 API (SSPI) and the
Unix/Linux vendors
might interpret funding Windows development as counter to their interests.

I happen to believe that ensuring the viability of the GSS and MIT
Kerberos APIs on the
Windows platform is absolutely in the best interest of the Unix/Linux
vendors because
it ensures that application developers will take the cross platform
approach instead of
locking themselves onto the Windows platform by using the SSPI
exclusively.  Failure
to provide support for new functionality on the Windows platform makes
it much more
difficult to adopt that functionality on Unix/Linux.   Security solution
availability needs to be
ubiquitous.  Otherwise, the solutions cannot be deployed.

Jeffrey Altman

More information about the Kerberos mailing list